====== Sonicwall: Virtual Access Points ====== This article summarizes a few sources on configuring Virtual Access Points for Public and Corporate use. It is by no means exhaustive but after having to hit multiple resources to get the entire system working I felt the need to make my note available to any who could benefit. ===== Configure VLAN ===== //First we need to create the VLAN that will be used to properly manage the Virtual Access Points.// ==== Create VLAN Zone ==== Navigate to: ''Network > Zones > Add'' === General Tab === * **Name:** VAP * **Security:** Wireless * **Allow Interface Trust:** yes === Wireless Tab === You shouldn't have to mess with anything here other than make sure the right Sonicpoint profile is selected. Might have to return here to apply later. OK ==== Create LAN Sub-Interface ==== Navigate to: ''Network > Interfaces > Add'' Newer version of SonicOS seem to have a dropdown with interface types rather than the button most tutorials say. You want a new virtual interface. === Add Interface Window === * **Zone:** Select your VAP from dropdown menu * **VLAN Tag:** Some Number to identify this VLAN. Really doesn't matter what you choose here as we aren't running a lot of VLANS. Should probably be unique across locations. * **Parent Interface:** Your Sonicpoint X# or W0 for buil-in wireless. * **IP Address:** Should probably be unique across locations as it comes up with VPNs later. Configure any other settings you feel appropriate. OK ==== DHCP IP Ranges ==== Navigate to: ''Network > DHCP Server'' You will find a new Dynamic Range has been created for your VLAN Edit the range for specific needs. Probably don't need to mess with anything here, but it is good to poke at it and know it is there. ===== Create Virtual Access Points ===== //Now you have created the VLAN side of things. Now we need to create the Virtual Access Points that will utilize the VLANs// ==== Virtual Access Point Profile ==== //These profiles store the credentials you can apply to VAPs later. Build one for each type of VAP desired. Usually one that is open for public use and one that has security for corporate use.// Navigate to: ''SonicPoints > Virtual Access Points'' Find: ''Virtual Access Point Profiles > Add'' === VAP Profile Window === * **Name:** Corperate or Guest. Something describing the security level ideally. * **Authentication Type:** Set the level of password security desired * **Pass Phrase:** Set the WiFi password desired. OK ==== Virtual Access Points ==== //Here is where you will build the ACTUAL virtual access points you will be using. Build one for each AP you need. Again usually one open and one secure.// Navigate to: ''SonicPoints > Virtual Access Points'' Find: ''Virtual Access Points > Add'' === General Tab === * **Name:** Describe the use of the VAP * **SSID:** What users will actally see when connecting * **VLAN ID:** Apply the desired VLAN tag you created before === Advanced Tab === * **Profile Name:** Select the VAP Profile desired from the ones built previously. It will apply the security settings defined in that profile. OK ==== Virtual Access Point Group ==== //You will create a group of your VAPs that can be easily applied to multiple SonicPoints.// Navigate to: ''SonicPoints > Virtual Access Points'' Find: ''Virtual Access Point Groups > Add Group'' === VAP Group Window === * **Name:** Name the group * **Object Panes:** Select and add the Available VAP Objects (VAPs and other groups will appear here) that you want to be applied to any single SonicPoint in the group panes. OK ==== SoncicPoint Provisioning Profile ==== Navigate to: ''SonicPoint > SonicPoints'' Find: ''SonicPoint Provisioning Profiles'' Create or edit your provisioning profiles to use the VAP Group desired and sync your SonicPoints. ==== Firewall Rules ==== //You will need to define all rules for your new VLAN/VAPs. They will appear as a zone now in the Firewall section. Matrix view will make defining the needed rules easier.// For our corperate VLAN/VAP you need to allow all traffic in both directions for LAN and VPN. And make sure it has access to WAN. For Guest networks you might not have to change anything other than mess with WAN rules. ==== Remote Site Address Group for VPN ==== //Since there are now two ranges or IPs that the VPN will need to worry about, you need to crate a group that contains both range values.// //You will need to make an Address Group Object that includes your VLAN and LAN objects.// === Create Address Group === Navigate to: ''Firewall > Address Objects'' Find: ''Address Groups > Add'' * Add the subnets for LAN and VLAN. === VPN Settings === Apply that object to the 'Choose Local Network' dropdown in the Network tab on the VPN profile settings. ==== Home Office Address Objects for VPN ==== //At the home office you will need to create address objects and group that define the IP ranges of the LAN and VLAN at the remote site.// === Create Address Objects === Navigate to: ''Firewall > Address Objects'' Find: ''Address Objects > Add'' * Create an IP Range Object for the remote site's LAN * Create an IP Range OBject for the remote site's VLAN === Create Address Group === Navigate to: ''Firewall > Address Objects'' Find: ''Address Groups > Add'' * Crate an Address Group that contains the Address Objects you created for the remote site. === VPN Settings === * Apply the remote site's Address Group to the 'Choose Destination Network' dropdown in Remote Networks section on the site's VPN settings. //If everything was done right, you should be able to connect to the Corperate VAP and be able to pass traffic through the VPN. Loading the Wiki is a good test.// ===== Sources ===== Covers the VLAN portion and some of the VAP creation https://www.sonicwall.com/en-us/support/knowledge-base/170503869309058 Covers VAP creation specifically https://www.sonicwall.com/en-us/support/knowledge-base/171009075632217