Please Note that this article is deprecated.
If possible, use the Remote AP Function: Secure WiFi
This guide will help you configure WiFi Tunneling.
It's a way for employees at home to be part of the office network with an AP. They only need to connect to the SSID of the provided AP.
Important: The firewall has to support AP management, and the APs have to support tunnel mode.
Please check the devices' datasheets to ensure they support the required features.
Topology
This document is aimed at home-workers and companies. It provides the first setting for the Security Gateway (at headquarters) and the Access Point (in the homes of individual home workers) to provide the same work experience as in the office. No additional training and least IT support are required.
Configuration of the Access Point
Configuration of the Security Gateway
Configuration of the Access Point
Set the laptop with a static IP like "192.168.1.X" (except 192.168.1.2) and a subnet mask of "255.255.255.0".
The configuration can be found under the following path on a Windows operating system:
Network Connections > Local Area Connection > Properties > IPv4 > Properties
Connect the laptop to the uplink port of the AP.
Enter the IP address 192.168.1.2 in the URL column of your web browser to access the AP's web interface.
If you encounter this window, please press on Standalone Mode to proceed.
Use the default credentials (admin and 1234) to get access.
Press on Cancel to exit the wizard.
Assign the primary static AC IP as the WAN IP address of the security gateway.
This setting can be set under the following path:
Configuration > Network > AC Discovery > Manual
You can check the WAN IP of your gateway here:
Configuration > Network > Interface > Ethernet
If the WAN IP changes its IP regularly, please set the primary static AC IP as FQDN and ensure that the DDNS Server is reachable.
As a final step, connect the AP's uplink port to the home network to grant internet access.
Configuration of the Security Gateway
Set up two firewall rules on the firewall to allow the CAPWAP connection ("CAPWAP data" & "CAPWAP control").
You can set up these rules under:
Configuration > Security Policy > Policy Rules
The rules should look like this:
If the WAN IP of the Security Gateway changes regularly, please set up the DDNS Server, that the remote AP can resolve the fully qualified domain name.
These settings can be configured under:
Configuration > Network > DDNS > Add
Please add the AP to the Management under:
Monitor > Wireless > AP Information > AP List
Choose the new Access Point and press „Add to Mgnt“ to manage the AP via the security gateway.
Set the Forwarding mode of the SSID to tunnel with the corresponding settings for the VLAN interface.
You will find this setting in the SSID Profile:
Configuration > Object > AP Profile > SSID > SSID List
The tunnel mode requires a VLAN interface. It's not possible to use any other interface type.
An example of a VLAN interface:
Set the interface type to "internal" so that the Security Gateway creates the routing rules automatically.
Troubleshooting
Ensure that the AP is in its default configuration before the initial setup, if this isn't the case, please reset the AP to factory default by pushing the reset button for at least 7 seconds.
- When connecting the AP’s uplink port to the other Ethernet port to grant it internet access, please ensure that the AP can get an IP address and access the internet. (The connected network should include an ISP modem or other devices supporting “DHCP Server” function.)
- When using floating IP as Security Gateway’s WAN IP, please ensure that the IP address is synchronized successfully on the DDNS server to avoid any errors due to the IP change.
Comments
0 comments
Please sign in to leave a comment.