VLAN for guest wifi on Zyxel USG router with Engenius access points

The goal here is to add a second SSID from the Engenius access point for guest internet access that does not have access to the network resources on the private wifi network. First of all I am using the Zyxel USG20 and an Engenius ECB600. Other similar hardware will be… similar. Here’s how to make this work.

Log into your access point. Add another SSID. Make sure you check the box for Station Separation. After adding it, go to the Management category and click on Management VLAN. Set your VID (VLAN ID) for your second SSID. I’d leave it as “2” and check the Isolation and Enable box. Click Accept at the bottom then click the Save/Reload link under status in the top left. This is all you’ll have to do on the access point.

Log into your router. Click Interface then click the VLAN tab. Click Add. Then set it up this way:
Interface Type: general
Interface Name: vlan2
Zone: LAN1 (This needs to match the zone that your access point is connected to.)
Base Port: lan1
VLAN ID: 2 (This needs to match the ID that you set in your access point)
Description: Make it descriptive!
IP Assignment: Use Fixed IP Address
IP Address: Choose something outside of your main subnet. I want my VLAN to use 192.168.10.x so I’ll set this to 192.168.10.1 (Make sure you select a range that is not in use by your router. Keep in mind that LAN2 may be assigned 192.168.2.x, and DMZ may be 192.168.3.x)
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1 (IP address of router. This may not be necessary.)
Under DHCP Setting:
DHCP: DHCP Server
IP Pool Start Address: 192.168.10.10 pool size 100 (or whatever you need it to be)
Set your DNS servers to something outside your network. Google DNS will work
Set default router to vlan2 IP
Save the settings

Next go to Object->Address and Add a new address. Call it something like VLAN_Subnet. Address type is INTERFACE SUBNET and Interface is vlan2.

Next, click on Network -> Routing. Add a Policy Route.
Description: VLAN
Incoming: Interface
Please select one member: vlan2
Next-hop:
Type: Trunk
Trunk: SYSTEM_DEFAULT_WAN_….
Click OK.

At this point your Guest SSID should be working. You will get IP addresses in the range specified in your VLAN interface. The only problem is that your guest network can see your main network. Block this using your Firewall.

Click Network -> Firewall
Click Add
From: Any
To: Any (Excluding Zywall)
Source: VLAN_Subnet
Destination: LAN1_SUBNET
ACCESS: deny

Add one more rule that blocks router administration:

Click Network -> Firewall
Click Add
From: Any
To: Zywall
Source: VLAN_Subnet
Destination: any
ACCESS: deny

If you have more than one subnet, you’ll need to create other rules that block access to that subnet too.

That’s it!

line
Powered by WordPress | Designed by Elegant Themes