just got my first ruckus access point ZF7372, would like to set up private wifi for family, and public wifi for guests.
have Dell Poweredge 2950 Dual Xeon 5160 3GHz 8GB running pfSense Firewall with 6 x gigabit NICs and cisco catyalst 3560 switch.
any suggestions how to accomplish this? what is best practices on connecting the ZF7372 to the network and separating the public/private wifis, im assuming vlans set up in the switch, in the access point/ssids, and pfsense? kind of new to all this, eager to learn.
current setup is cable modem>pfsense wan>switch>ZF7372 switch is setup all ports vlan 1 default
does the standalone ap get trunked to the switch? does the pfsense router get trunked to the switch?
Patrick, congratulations on your Ruckus AP. The configuration is actually pretty straight forward amd simple. In your pfsense create two virtual interfaces for vlans. IP them accordingly and make one your guest and one private. Pass those VLANs onto the switch. The port configured for the AP, make that a trunk port. Pass the native VLAN and make that the VLAN that will give the AP it's IP address, this may be the private network VLAN if you want to make your life easier. Then allow both, the VLANs for guest and for private on this port plus the native one if different to pss on this trunk port.
That's it, your infrastructure is built. Now, you can move on to configure the AP, that's pretty straight forward. When it gets to the point of assigning a VLAN to the WLAN area, select the VLAN you created for guess and private and apply them to it's corresponding WLAN.
Don't forget to secure your private network by preventing access to it from the guess network and to create your dhcp pools for each subnet on the pfsense.
Dionis, thanks for the reply it has indeed helped.
have a few more questions before i commit. in the gui of the ap under ports port 2 goes to the switch, and per your instructions i will set the switchport on the cisco to trunk, allowing the native vlan and the two wifi public/private vlans
should i change the port 2 on the 7372 to trunk i assume to match the trunk setting on the switch?
Ok, first, only change client fingerprinting, if you want to have clients OS identified and such, no change for dhcp option 82 and 802.1x but do change the VLAN to the ine that correspond to that network.
Don't change the physical port on the AP and leave it as default. By adding the VLAN to the WLAN you are already doing this.
No changes to zone director area. Untagged means it won't be passed forward, it stays there as access only (in the simplest way I can explain it).
Management changes could include the port to access the AP and secured or unsecured access and things like that. Also user and password to manage the AP. In your case, no SNMP or any of that.
Management VLAN 1 IPV4 Type DHCP IPV4 DNS Mode Auto
IPv6 Type Auto Config
in Configuration :: Radio 2.4G :: wifi
ssid wifi packet forward Bridge to WAN access VLAN 1
in Configuration :: Radio 2.4G :: wifi-pub
ssid wifi-pub packet forward Bridge to WAN access VLAN 20
in the switch i have only configured the port that the AP connects to as TRUNK and added VLAN 20 named wifipub on the AP i have left the default port as ACCESS
connecting to wifi-pub ssid , gets ip address 192.168.20.101 can access both the pfsense webui and the ruckus ap webui from here, but no Internet. ( LOL, this is the reverse of what i would like to accomplish XD ) I thought having these on different vlans would do this when i goto 192.168.20.1 it now takes me to the pfsense login page =(
connecting to ssid wifi - can connect to both the local network and the internet
I have not made any firewall rules
also i know this is a layer 3 switch, how can I make sure that pfsense handles the routing?
do i need to change anything in the Local Subnets category in the AP webui config? currently they are disabled
thank you for your help, please let me know if i can provide more information to find a solution.