Sonicwall: Virtual Access Points

This article summarizes a few sources on configuring Virtual Access Points for Public and Corporate use. It is by no means exhaustive but after having to hit multiple resources to get the entire system working I felt the need to make my note available to any who could benefit.

First we need to create the VLAN that will be used to properly manage the Virtual Access Points.

Navigate to:

Network > Zones > Add

• Name: <Location>VAP
• Security: Wireless
• Allow Interface Trust: yes

You shouldn't have to mess with anything here other than make sure the right Sonicpoint profile is selected. Might have to return here to apply later. OK

Navigate to:

Network > Interfaces > Add

Newer version of SonicOS seem to have a dropdown with interface types rather than the button most tutorials say. You want a new virtual interface.

• Zone: Select your <Location>VAP from dropdown menu
• VLAN Tag: Some Number to identify this VLAN. Really doesn't matter what you choose here as we aren't running a lot of VLANS. Should probably be unique across locations.
• Parent Interface: Your Sonicpoint X# or W0 for buil-in wireless.
• IP Address: Should probably be unique across locations as it comes up with VPNs later.

Configure any other settings you feel appropriate.

OK

Navigate to:

Network > DHCP Server

You will find a new Dynamic Range has been created for your VLAN

Edit the range for specific needs. Probably don't need to mess with anything here, but it is good to poke at it and know it is there.

Now you have created the VLAN side of things. Now we need to create the Virtual Access Points that will utilize the VLANs

These profiles store the credentials you can apply to VAPs later. Build one for each type of VAP desired. Usually one that is open for public use and one that has security for corporate use.

Navigate to:

SonicPoints > Virtual Access Points

Find:

Virtual Access Point Profiles > Add

• Name: Corperate or Guest. Something describing the security level ideally.
• Authentication Type: Set the level of password security desired
• Pass Phrase: Set the WiFi password desired.

OK

Here is where you will build the ACTUAL virtual access points you will be using. Build one for each AP you need. Again usually one open and one secure.

Navigate to:

SonicPoints > Virtual Access Points

Find:

Virtual Access Points > Add

• Name: Describe the use of the VAP
• SSID: What users will actally see when connecting
• VLAN ID: Apply the desired VLAN tag you created before

• Profile Name: Select the VAP Profile desired from the ones built previously. It will apply the security settings defined in that profile.

OK

You will create a group of your VAPs that can be easily applied to multiple SonicPoints.

Navigate to:

SonicPoints > Virtual Access Points

Find:

Virtual Access Point Groups > Add Group

• Name: Name the group
• Object Panes: Select and add the Available VAP Objects (VAPs and other groups will appear here) that you want to be applied to any single SonicPoint in the group panes.

OK

Navigate to:

SonicPoint > SonicPoints

Find:

SonicPoint Provisioning Profiles

Create or edit your provisioning profiles to use the VAP Group desired and sync your SonicPoints.

You will need to define all rules for your new VLAN/VAPs. They will appear as a zone now in the Firewall section. Matrix view will make defining the needed rules easier.

For our corperate VLAN/VAP you need to allow all traffic in both directions for LAN and VPN. And make sure it has access to WAN.

For Guest networks you might not have to change anything other than mess with WAN rules.

Since there are now two ranges or IPs that the VPN will need to worry about, you need to crate a group that contains both range values.

You will need to make an Address Group Object that includes your VLAN and LAN objects.

Navigate to:

Firewall > Address Objects

Find:

Address Groups > Add

• Add the subnets for LAN and VLAN.

Apply that object to the 'Choose Local Network' dropdown in the Network tab on the VPN profile settings.

At the home office you will need to create address objects and group that define the IP ranges of the LAN and VLAN at the remote site.

Navigate to:

Firewall > Address Objects Find:

Address Objects > Add

• Create an IP Range Object for the remote site's LAN
• Create an IP Range OBject for the remote site's VLAN

Navigate to:

Firewall > Address Objects

Find:

Address Groups > Add

• Crate an Address Group that contains the Address Objects you created for the remote site.

• Apply the remote site's Address Group to the 'Choose Destination Network' dropdown in Remote Networks section on the site's VPN settings.

If everything was done right, you should be able to connect to the Corperate VAP and be able to pass traffic through the VPN. Loading the Wiki is a good test.

Covers the VLAN portion and some of the VAP creation https://www.sonicwall.com/en-us/support/knowledge-base/170503869309058 Covers VAP creation specifically https://www.sonicwall.com/en-us/support/knowledge-base/171009075632217