The Z1 Teleworker Gateway and MX64W Security Appliance can simultaneously extend the corporate LAN into small home offices and provide secure Internet-only wireless access for in-home users. To isolate wireless guest or home traffic from the corporate LAN on the Z1 Teleworker Gateway and MX64W Security Appliance:
- Configure Guest/Corporate VLANs.
- Tag the SSIDs with the appropriate VLAN.
- Configure firewall rules to block interVLAN traffic.
Configure Guest/Corporate VLANs
Configure at least two VLANs on the Configure > Addressing & VLANs page under the VLANs section after it has been enabled.
Tag the SSIDs with the appropriate VLAN
- Enable and rename at least two SSIDs on Configure > Wireless settings.
- Select the VLAN ID that will be associated with each SSID from the VLAN assignment dropdown and save settings. Multiple VLANs cannot be assigned to the same SSID, but the same VLAN can be applied to multiple SSIDs.
Create firewall rules to block interVLAN traffic
- Go to Configure > Firewall and click on the Add a rule button under the Outbound rules section to create two blank firewall rules.
- The Policy should be set to "Deny", the Protocol should be "Any", the Source should be the subnet of one of the VLANs that has been created, each rule will have a different source and those sources will then swap to become the Destinations. Add a Comment if clarification of the rule is needed.
- Rules may be added to allow for the use of certain servers and services, such as a printer, to be used from the guest network by putting in allow rules above the deny with the specific IP of the endpoint in mind.
After all of this has been completed there will be at least two SSIDs, one of which grants access to the Internet alone while the other grants access to corporate servers and services. Complexity can be added to the firewall rules create exceptions for devices such as network printers or a DNS server.