Wireless/Settings

Wireless > Settings

The Wireless > Settings page allows you to configure your wireless settings.

On the Wireless>Settings page, you can enable or disable the WLAN port by selecting or clearing the Enable WLAN checkbox.

Wireless Radio Mode

Select either Access Point to configure the SonicWALL as the default gateway on your network or select Wireless Bridge from the Radio Role menu to configure the SonicWALL to act as an intermediary wireless device.

Note: WPA support is only available in Access Point Mode. WPA support is not available in Wireless Bridge Mode.

Wireless Settings

Enable WLAN Radio: Check this checkbox to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the administrative interface to have this setting take effect.

Schedule: The schedule determines when the radio is on to send and receive data. The default value is Always on. The Schedule list displays the schedule objects you create and manage in the System > Schedule page. The default choices are:

Always on
M-T-W-TH-F 08:00-17:00
M-T-W-TH-F 00:00-08:00
M-T-W-TH-F 17:00-24:00
SA-SU 00:00-24:00
SA-SU 00:00-24:00

SSID: The default value, sonicwall, for the SSID can be changed to any alphanumeric value with a maximum of 32 characters.

Radio Mode: Select your preferred radio mode from the Radio Mode menu. The TZ 170 Wireless supports the following modes:

2.4GHz 802.11b/g Mixed - Supports 802.11b and 802.11g clients simultaneously. If your wireless network comprises both types of clients, select this mode.
802.11g Only - If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.
802.11b Only - Select this mode if only 802.11b clients access your wireless network.

Regulatory: Specifies the regulatory domain--the country whose radio broadcasting rules the security appliance must obey. FCC - North America is displayed as the Regulatory Domain. This field is determined by the ROM code, and cannot be changed by the user.

Country Code: Specifies the country whose radio broadcasting rules the security appliance must obey.

Channel: Select the channel for transmitting the wireless signal from the Channel menu. An AutoChannel setting allows the TZ 170 Wireless to automatically detect and set the optimal channel for wireless operation based upon signal strength and integrity. AutoChannel is the default channel setting, and it displays the selected channel of operation to the right. Alternatively, an operating channel within the range of your regulatory domain can be explicitly defined.

Secure Wireless Bridging

Wireless Bridging is a feature that allows two or more physically separated networks to be joined over a wireless connection. The TZ 170 Wireless provides this capability by shifting the radio mode at remote networks from Access Point mode to Wireless Bridge mode. Operating in Wireless Bridge mode, the TZ 170 Wireless connects to another TZ 170 Wireless acting as an access point, and allows communications between the connected networks via the wireless bridge.

Secure Wireless Bridging employs a WiFiSec VPN policy, providing security to all communications between the wireless networks. Previous bridging solutions offered no encryption, or at best, WEP encryption.

Configuring a Secure Wireless Bridge

When switching from Access Point mode to Wireless Bridge mode, all clients are disconnected, and the navigation panel on the left changes to reflect the new mode of operation.

To configure a secure wireless bridge, follow these steps:

Click Wireless, then Settings.
In the Wireless Radio Mode section, select Wireless Bridge from the Radio Role menu. The TZ 170 Wireless updates the interface. The left-navigation menu changes to reflect the choices that apply to configuring a secure wireless bridge.
In the left-navigation menu, click Status under Wireless. Any available access point is displayed at the bottom of the Status page. Click the Connect icon to establish a wireless bridge to another TZ 170 Wireless.
In the left-navigation menu, click Settings under Wireless. Configure the WLAN settings for the wireless connection as follows:
Configure the SSID on all TZ 170 Wireless to the SSID of the Access Point.
Configure the WLAN for all TZ 170 Wireless must be on the same subnet.
LAN IP address for all TZ 170 Wireless must be on different subnets.

For example, in the previous network diagram, the TZ 170 Wireless are configured as follows:

SSID on all three TZ 170 Wireless are set to "myWLAN".
WLAN addressing for all the TZ 170 Wireless's connected via Wireless Bridge must place the WLAN interfaces on the same subnet: 172.16.31.1 for TZ 170 Wireless1, 172.16.31.2 for TZ 170 Wireless2, and 172.16.31.3 for TZ 170 Wireless3.
TZ 170 Wireless4 must have a different subnet on the WLAN, such as 172.16.32.X/24.
LAN addressing for all TZ 170 Wireless connected via Wireless Bridge must place the LAN interfaces on different subnets: 10.10.10.x/24 for TZ 170 Wireless1, 10.20.20.x/24 for TZ 170 Wireless2, and 10.30.30.x/24 for TZ 170 Wireless3.
LAN addressing for TZ 170 Wireless4 must be the same as TZ 170 Wireless3.
To facilitate Virtual Adapter addressing, the TZ 170 Wireless4 can be set to forward DHCP requests to TZ 170 Wireless3.
When a TZ 170 Wireless is in Wireless Bridge mode, the channel cannot be configured. TZ 170 Wireless2 and TZ 170 Wireless3 operate on the channel of the connecting Access Point TZ 170 Wireless. For example, TZ 170 Wireless1 is on channel 1.
A Bridge Mode TZ 170 Wireless cannot simultaneously support wireless client connections. Access Point services at Remote Site B are provided by a second TZ 170 Wireless (4). The channel of operation is set 5 apart from the channel inherited by the TZ 170 Wireless3. For example, Access Point TZ 170 Wireless1 is set to channel 1, then Bridge Mode TZ 170 Wireless3 inherits channel 1. Access Point TZ 170 Wireless4 should be set to channel 6.

Network Settings for the Example Network

Device	Mode	SSID	Channel	LAN IP Address	WLAN IP Address
TZ 170 Wireless1	Access Point	myWLAN	1	10.10.10.254/24	172.16.31.1/24
TZ 170 Wireless2	Wireless Bridge	myWLAN	1 (auto)	10.20.20.254/24	172.16.31.2/24
TZ 170 Wireless3	Wireless Bridge	myWLAN	1 (auto)	10.30.30.254/24	172.16.31.3/24
TZ 170 Wireless4	Access Point	otherWLAN	6	10.30.30.253/24	172.16.31.1/24

Wireless Bridging (without WiFiSec)

To provide compatibility with other non-WiFiSec wireless access points, the TZ 170 Wireless supports a non-secure form of wireless bridging, but insecure wireless communications should only be employed when data is non-sensitive. By default, WiFiSec Enforcement is enabled on Wireless Settings for Wireless Bridge Mode. To connect to a non-WiFiSec access point, this checkbox must be disabled. Since VPN tunnels are not established in non-secure Wireless Bridging deployments, traffic routes must be clearly defined for both the Access Point and the Bridge Mode sites:

The default route on the Bridge Mode TZ 170 Wireless must from the WLAN interface to the WLAN interface of the connecting Access Point TZ 170 Wireless.

- Referring to the example above, the default route on TZ 170 Wireless2 and TZ 170 Wireless3 is set via their WLAN interfaces to 172.16.31.1.

Static routes must be entered on the Access Point TZ 170 Wireless to route back to the LAN subnets of the Bridge Mode TZ 170 Wireless.

- Referring to the example network, TZ 170 Wireless1 must have static routes to 10.20.20.x/24 via 172.16.31.2 and to 10.30.30.x/24 via 172.16.31.3

Configuring VPN Policies for the Access Point and Wireless Bridge

Access Point

After Wireless Settings are defined, the WiFiSec connections (VPN Policies) must be configured. The VPN Policies are defined as would any other site-to-site VPN policy, typically with the following in mind:

The Access Point TZ 170 Wireless must specify the destination networks of the remote sites.
The Access Point TZ 170 Wireless must specify its LAN management IP address as the Default LAN Gateway under the Advanced tab.
The Wireless Bridge Mode TZ 170 Wireless must be configured to use the tunnel as the default route for all internet traffic.

Referring to the example network, the Access Point TZ 170 Wireless has the following two VPN Policies defined:

One policy to the Site_A address object at 10.20.20.0:
One policy to the Site_B address object at 10.30.30.0:

Configuration for VPN Policies

Click Network.
Under Local Networks, select Choose local network from list and select LAN Interface IP.
Under Destination Networks, select Choose destination network from list and select or create an address object for the destination (Site_A - 10.20.20.0 or Site_B - 10.30.30.0 in the example).





Click Advanced.
Select Enable Keep Alive.
Select Enable Windows Networking (NetBIOS) Broadcast.
Click OK to close the window, and then click Apply for the settings to take effect on the SonicWALL.

Wireless Bridge VPN Policy

The Wireless Bridge VPN Policy is configured as follows:

Click VPN, then Configure.
Select IKE using Preshared Secret from the IPsec Keying Mode menu.
Enter a name for the SA in the Name field.
Type the IP address of the Access Point in the IPsec Gateway field. In our example network, the IP address is 172.16.31.1.
Select Use this VPN Tunnel as default route for all Internet traffic from the Destination Networks section.

Click OK to close the window, and then click Apply for the settings to take effect on the security appliance.

SonicWALL, Inc. http://www.sonicwall.com 1160 Bordeaux Drive Sunnyvale, CA 94089-1209