Deploy a wireless network as a separate zone
You create a wireless network for guests that allocates IP addresses from a defined range. You want to prevent access by hosts that you know to be sources of malware.
Introduction
When you complete this unit, you'll know how to do the following:
- Protect a designated wireless zone from threats and malware.
- Create a guest wireless network for a zone and assign an address range to the network.
- Prevent network access by specified hosts.
- Create a DHCP server for the network so that hosts can receive an IP address and gateway.
-
Assign the network to an access point.
Note
If you assign the separate zone network to two access points, you must create a firewall rule with source and destination zones set to Wi-Fi to allow traffic between the access points.
Create a firewall rule to allow traffic between devices within a separate zone
You need to create a firewall rule to allow traffic between devices within a separate zone. Add a rule allowing traffic with source and destination zones set to WiFi.
- Go to Rules and policies > Firewall rules.
- Click Add firewall rule then New firewall rule.
- Specify the following settings:
- Source zone: WiFi
- Source networks: Any
- Destination zones: WiFi
- Destination networks: Any
- Services: Any
- Action: Accept
Protect a wireless zone from threats and malware
- Go to Wireless > Wireless settings.
- Click the On/Off switch to turn wireless protection on.
- In the list of allowed zones, click Add new item, and select the check box for the zone your access points are connected to. For example, the LAN zone.
-
Click Apply selected items.
The firewall scans traffic on the selected zone for threats and malware.
Create a list of hosts to be blocked
- Go to Hosts and services > MAC host and click Add.
-
Specify the settings.
Option Description Name Bad hosts Type MAC list MAC address 00:16:76:49:33:CE, 00-16-76-49-33-CE
Create a wireless network as a separate zone
- Go to Wireless > Wireless networks and click Add.
-
Specify the settings.
Option Description Name Guest SSID Guest Security mode WPA2 Personal Client traffic Separate zone Zone WiFi IP address 192.0.2.1 Netmask /24 (255.255.255.0) -
Type a password and confirm.
-
Click Advanced settings and specify settings.
Option Description MAC filtering Blacklist MAC list Bad hosts
The firewall contains a defined wireless network and a corresponding virtual interface. When guests access the network, they are assigned an IP address from the range specified. Blocked devices cannot access the network.
Create a DHCP server
- Go to Network > DHCP.
- Under Server, click Add.
-
Specify the settings.
Option Description Name Guest DHCP Interface Guest Start IP 192.0.2.2 End IP 192.0.2.255 Subnet mask /24 (255.255.255.0) Domain name guest.example.com Gateway Use interface IP as gateway Default lease time 1440 Max lease time 2880 Conflict detection Enable DNS server Use the DNS settings of Sophos Firewall
Guests who access the guest network will now be allocated an IP address from the range specified.
Add a wireless network to an access point
- Go to Wireless > Access points, and click an active access point. If you don't have any active access points, follow the optional steps below.
- Select the zone in which your access points are connected.
- Approve the pending access point.
- Click the active access point.
- Select the country where the access point is located.
- In the wireless networks list, click Add new item and select the requested network.
The network is now deployed.
More resources