This guide will help you configure a WiFi Tunneling.
It's a way for employees at home to be part of the office network with an AP. They only need to connect to the SSID of the provided AP.
Important: The firewall has to support AP management and the APs has to support tunnel mode.
Please check the datasheet of the devices to make sure, that they support the required features.
This document is aimed at home workers and companies and provides the first setting for the Security Gateway (at headquarters) and the Access Point (in the homes of individual home workers) to provide the same work experience as in the office. No additional training and least IT support required.
Configuration of the Access Point
Set the laptop with a static IP like "192.168.1.X" (except 192.168.1.2) and a subnet mask of "255.255.255.0".
The configuration can be found under the following path on a windows operating system:
Network Connections > Local Area Connection > Properties > IPv4 > Properties
Connect the laptop to the uplink port of the AP.
Enter the IP address 192.168.1.2 in the URL column of your web browser to access the web interface of the AP.
If you encounter this windows, please press on Standalone Mode to proceed.
Use the default credentials (admin and 1234) to get access.
Press on Cancel to exit the wizard.
Assign the primary static AC IP as the WAN IP address of the security gateway.
This setting can be set under the following path:
Configuration > Network > AC Discovery > Manual
You can check the WAN IP of your gateway here:
Configuration > Network > Interface > Ethernet
If the WAN IP changes it's IP on a regular basis, please set the primary static AC IP as FQDN and ensure that the DDNS Server is reachable.
As a final step connect the uplink port of the AP to the home network to grant internet access.
Configuration of the Security Gateway
Set up two firewall rules on the firewall to allow the CAPWAP connection ("CAPWAP data" & "CAPWAP control").
You can setup these rules under:
Configuration > Security Policy > Policy Rules
The rules should look like this:
If the WAN IP of the Security Gateway changes on a regular basis, please setup the DDNS Server, that the fully qualified domain name can be resolved by the remote AP.
These settings can be configured under:
Configuration > Network > DDNS > Add
Please add the AP to the Management under:
Monitor > Wireless > AP Information > AP List
Choose the new Access Point and press „Add to Mgnt“ to manage the AP via the security gateway.
Set the Forwarding mode of the SSID to tunnel with the corresponding settings for the VLAN interface.
You will find this setting in the SSID Profile:
Configuration > Object > AP Profile > SSID > SSID List
The tunnel mode requires a VLAN interface. It's not possible to use any other interface type.
An example of a VLAN interface:
Set the interface type to "internal" so that the Security Gateway creates the routing rules automatically.
- Make sure, that the AP is in it's default configuration before the initial setup, if this isn't the case, please reset the AP to factory default by pushing the reset button for at least 7 seconds.
- When connecting the AP’s uplink port to the other Ethernet port to grant it internet access, please make sure, that the AP can get an IP address and access the internet. (The connected network should include an ISP modem or other devices supporting “DHCP Server” function.)
- When using floating IP as Security Gateway’s WAN IP, please make sure, that the IP address is synchronized successfully on DDNS server to avoid any errors due to the IP change.