Skip to content

Deploy a wireless network as a separate zone

You create a wireless network for guests that allocates IP addresses from a defined range. You want to prevent access by hosts that you know to be sources of malware.

Introduction

When you complete this unit, you'll know how to do the following:

  • Protect a designated wireless zone from threats and malware.
  • Create a guest wireless network for a zone and assign an address range to the network.
  • Prevent network access by specified hosts.
  • Create a DHCP server for the network so that hosts can receive an IP address and gateway.
  • Assign the network to an access point.

    Note

    If you assign the separate zone network to two access points, you must create a firewall rule with source and destination zones set to Wi-Fi to allow traffic between the access points.

Create a firewall rule to allow traffic between devices within a separate zone

You need to create a firewall rule to allow traffic between devices within a separate zone. Add a rule allowing traffic with source and destination zones set to WiFi.

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule then New firewall rule.
  3. Specify the following settings:

    • Source zone: WiFi
    • Source networks: Any
    • Destination zones: WiFi
    • Destination networks: Any
    • Services: Any
    • Action: Accept

Protect a wireless zone from threats and malware

  1. Go to Wireless > Wireless settings.
  2. Click the On/Off switch to turn wireless protection on.
  3. In the list of allowed zones, click Add new item, and select the check box for the zone your access points are connected to. For example, the LAN zone.
  4. Click Apply selected items.

    Select allowed zone.

The firewall scans traffic on the selected zone for threats and malware.

Create a list of hosts to be blocked

  1. Go to Hosts and services > MAC host and click Add.
  2. Specify the settings.

    Option Description
    Name Bad hosts
    Type MAC list
    MAC address 00:16:76:49:33:CE, 00-16-76-49-33-CE

Create a wireless network as a separate zone

  1. Go to Wireless > Wireless networks and click Add.
  2. Specify the settings.

    Option Description
    Name Guest
    SSID Guest
    Security mode WPA2 Personal
    Client traffic Separate zone
    Zone WiFi
    IP address 192.0.2.1
    Netmask /24 (255.255.255.0)
  3. Type a password and confirm.

  4. Click Advanced settings and specify settings.

    Option Description
    MAC filtering Blacklist
    MAC list Bad hosts

The firewall contains a defined wireless network and a corresponding virtual interface. When guests access the network, they are assigned an IP address from the range specified. Blocked devices cannot access the network.

Create a DHCP server

  1. Go to Network > DHCP.
  2. Under Server, click Add.
  3. Specify the settings.

    Option Description
    Name Guest DHCP
    Interface Guest
    Start IP 192.0.2.2
    End IP 192.0.2.255
    Subnet mask /24 (255.255.255.0)
    Domain name guest.example.com
    Gateway Use interface IP as gateway
    Default lease time 1440
    Max lease time 2880
    Conflict detection Enable
    DNS server Use the DNS settings of Sophos Firewall

Guests who access the guest network will now be allocated an IP address from the range specified.

Add a wireless network to an access point

  1. Go to Wireless > Access points, and click an active access point. If you don't have any active access points, follow the optional steps below.
  2. Select the zone in which your access points are connected.
  3. Approve the pending access point.
  4. Click the active access point.
  5. Select the country where the access point is located.
  6. In the wireless networks list, click Add new item and select the requested network.

The network is now deployed.

More resources