SonicWALL 3 manual 176

CHAPTER 30: Managing Wireless Guest Accounts

The example above describes a moderately complex network configuration where the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless offers both WiFiSec and WGS access via a default route on LAN. As the blue (WiFiSec) and green (WGS) traffic lines indicate, the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless allows WGS access only to the Internet, while allowing WiFiSec access to the Internet, the LAN, and to a remote network connected via a LAN router. The SonicWALL PRO 2040 in above example requires static routes to the 10.1.1.x (adjacent) network via 192.168.168.252, and to the 172.16.31.x (for WGS) network via 192.168.168.168.

Prior to SonicOS 1.5.0.0, Wireless Guest Services were only available in default route on WAN configurations. This scheme provided an automatic differentiation of destinations for WGS traffic. In other words, WGS traffic bound for the WAN was permitted, but WGS traffic attempting to reach the LAN (local traffic), to cross the LAN (to reach an adjacent network connected via a router) or to cross a VPN tunnel was dropped.

When the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless is configured to provide both Secure Access Point and WGS services via a default route on LAN, all traffic exits the LAN interface, eliminating any means of automatically classifying “WGS permissible” traffic. To address this ambiguity, any traffic sourced from a WGS client attempting to reach the default gateway (in our above example, 192.168.168.254) is allowed, but any traffic attempting to traverse a VPN, or reach a LAN resource (for example, 192.168.168.100) is dropped. Finally, to safeguard adjacent networks attached via a router, a WGS IP Address Deny List has been added to the WGS > Settings page.