I configured a layer-2 only VLAN and NATed it out our firewall - it's
a second SSID on the WAPs. Traffic on this VLAN also is picked up by
our Barracuda web filter, as it's placed between our firewall and our
L3 switch. I stuck a tiny little FreeBSD box on the VLAN to provide
DHCP, and pointed the DNS settings to 8.8.8.8.
Works great.
Kurt
On Mon, Oct 31, 2011 at 18:54, Seth Fogie <seth (at) fogieonline (dot) com [email concealed]> wrote:
> I have a security related infrastructure question:
>
> Proposal: Provide guest access to anyone at all remote sites.
> Reasoning: Guests need to have a distraction for long wait times
> (non-negotiable).
>
> Solutions:
> 1. Create a Guest SSID and tag it with the external VLAN and then  tunnel
> the traffic back over the site-to-site VPN via the broadband modem and route
> this traffic to an external connection over the same link that provides
> internal VLAN traffic.
> 2. Build a separate infrastructure for wireless Guest traffic and purchase a
> dedicated internet connection for all guest traffic per site.
> 3. ????
>
> Help?
> Thanks!!!
>
I configured a layer-2 only VLAN and NATed it out our firewall - it's
a second SSID on the WAPs. Traffic on this VLAN also is picked up by
our Barracuda web filter, as it's placed between our firewall and our
L3 switch. I stuck a tiny little FreeBSD box on the VLAN to provide
DHCP, and pointed the DNS settings to 8.8.8.8.
Works great.
Kurt
On Mon, Oct 31, 2011 at 18:54, Seth Fogie <seth (at) fogieonline (dot) com [email concealed]> wrote:
> I have a security related infrastructure question:
>
> Proposal: Provide guest access to anyone at all remote sites.
> Reasoning: Guests need to have a distraction for long wait times
> (non-negotiable).
>
> Solutions:
> 1. Create a Guest SSID and tag it with the external VLAN and then  tunnel
> the traffic back over the site-to-site VPN via the broadband modem and route
> this traffic to an external connection over the same link that provides
> internal VLAN traffic.
> 2. Build a separate infrastructure for wireless Guest traffic and purchase a
> dedicated internet connection for all guest traffic per site.
> 3. ????
>
> Help?
> Thanks!!!
>
[ reply ]