This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

standalone zoneflex 7372 - private / public wifi - pfsense firewall - cisco catyalst 3560 switch

patrick_perotti
New Contributor II

‎07-29-2016 10:13 PM

just got my first ruckus access point ZF7372, would like to set up private wifi for family, and public wifi for guests. 

    have Dell Poweredge 2950 Dual Xeon 5160 3GHz 8GB running pfSense Firewall 
with 6 x gigabit NICs and cisco catyalst 3560 switch. 

any suggestions how to accomplish this?  what is best practices on connecting the ZF7372 to the network and separating the public/private wifis,   im assuming vlans set up in the switch, in the access point/ssids, and pfsense? kind of new to all this, eager to learn. 

current setup is  cable modem>pfsense wan>switch>ZF7372 
switch  is setup all ports vlan 1 default

does the standalone ap get trunked to the switch?
does the pfsense router get trunked to the switch?
7 REPLIES 7

dionis_taveras
Contributor II

‎07-30-2016 12:02 AM

Patrick, congratulations on your Ruckus AP. The configuration is actually pretty straight forward amd simple. In your pfsense create two virtual interfaces for vlans. IP them accordingly and make one your guest and one private. Pass those VLANs onto the switch. The port configured for the AP, make that a trunk port. Pass the native VLAN and make that the VLAN that will give the AP it's IP address, this may be the private network VLAN if you want to make your life easier. Then allow both, the VLANs for guest and for private on this port plus the native one if different to pss on this trunk port.

That's it, your infrastructure is built. Now, you can move on to configure the AP, that's pretty straight forward. When it gets to the point of assigning a VLAN to the WLAN area, select the VLAN you created for guess and private and apply them to it's corresponding WLAN.

Don't forget to secure your private network by preventing access to it from the guess network and to create your dhcp pools for each subnet on the pfsense.

Hope this helps.

patrick_perotti
New Contributor II
In response to dionis_taveras

‎07-30-2016 09:45 AM

Dionis, thanks for the reply it has indeed helped.

      have a few more questions before i commit.
in the gui of the ap under ports
port 2 goes to the switch, and per your instructions i will set the switchport on the cisco to trunk, allowing the native vlan and the two wifi public/private vlans

 should i change the port 2 on the 7372 to trunk i assume to match the trunk setting on the switch?

should i change;
                          
   Packet Forward
   802.1X
   VLAN   
   Insert DHCP Option 82
   Client Fingerprinting

would you please explain;  UNTAG ID, and members for the above VLAN setting.

is it best practice to put all my devices on the same management VLAN? and add the mgt vlan to the trunk?
ie. - pfsense router firewall/cisco switch/wireless AP

also do any changes need to be made in>
Administration :: Management

Controller Discovery Agent (LWAPP)
Cloud Discovery Agent (FQDN)
Controller Address
  
TR069 / SNMP Management Choice

as I have no zone director?



thank you
                -+>Patrick
0 Kudos

dionis_taveras
Contributor II
In response to dionis_taveras

‎07-31-2016 10:11 AM

Ok, first, only change client fingerprinting, if you want to have clients OS identified and such, no change for dhcp option 82 and 802.1x but do change the VLAN to the ine that correspond to that network.

Don't change the physical port on the AP and leave it as default. By adding the VLAN to the WLAN you are already doing this.

No changes to zone director area. Untagged means it won't be passed forward, it stays there as access only (in the simplest way I can explain it).

Management changes could include the port to access the AP and secured or unsecured access and things like that. Also user and password to manage the AP. In your case, no SNMP or any of that.

patrick_perotti
New Contributor II
In response to dionis_taveras

‎07-31-2016 01:12 PM

Current setup;

   Cable modem to WAN interface of PFSENSE box set to dchp from comcast
   PFSENSE LAN interface set to static address 192.168.1.9 to port 0/1 on cisco caytalyst 3560 switch

   Ruckus ZF7372 Port 2 set Trunk Port, Bridge to WAN, UNTAG ID 1
to port 0/2 of switch.

interface FastEthernet0/1                                          
 switchport trunk encapsulation dot1q                              
 switchport trunk allowed vlan 1-99                                
 switchport mode trunk                                             
!                                                                  
interface FastEthernet0/2                                          
 switchport trunk encapsulation dot1q                              
 switchport trunk allowed vlan 1-99                                
 switchport mode trunk


  in pfsense i have created two virtual interfaces; wifi, and wifipub
 WIFI     VLAN1 on lan interface    100baseTX     192.168.10.1
WIFIPUB VLAN20 on lan interface    100baseTX     192.168.20.1

Enabled DHCP server on WIFI interface

Subnet
192.168.10.0
Subnet mask
255.255.255.0
Available range
192.168.10.1 - 192.168.10.254

Enabled DHCP server on WIFIPUB interface

Subnet
192.168.20.0
Subnet mask
255.255.255.0
Available range
192.168.20.1 - 192.168.20.254

in Ruckus ZF7372 AP webui

Status :: Internet

IPv4 Status:      
Connection Type:     dhcp
IPv4 Address:             192.168.1.141
IPv4 Subnet Mask:     255.255.255.0
IPv4 Gateway:             192.168.1.9
Primary DNS Server:     192.168.1.9
IPv6 Status:      
Connection Type:     autoconfig

Question: should I set the AP to a static IP?

in Configuration :: Internet

Management VLAN 1
IPV4 Type     DHCP
IPV4 DNS Mode Auto

IPv6 Type     Auto Config

in Configuration :: Radio 2.4G :: wifi

ssid wifi
packet forward  Bridge to WAN
access VLAN 1

in Configuration :: Radio 2.4G :: wifi-pub

ssid wifi-pub
packet forward Bridge to WAN
access VLAN 20

in the switch i have only configured the port that the AP connects to as TRUNK
and added VLAN 20 named wifipub
on the AP i have left the default port as ACCESS

connecting to wifi-pub ssid , gets ip address 192.168.20.101 can access both the pfsense webui and the ruckus ap webui from here, but no Internet.
( LOL, this is the reverse of what i would like to accomplish XD )
I thought having these on different vlans would do this
when i goto 192.168.20.1 it now takes me to the pfsense login page =(


connecting to ssid wifi    - can connect to both the local network and the internet

I have not made any firewall rules

also i know this is a layer 3 switch, how can I make sure that pfsense handles the routing?

do i need to change anything in the Local Subnets category in the AP webui config? currently they are disabled

thank you for your help, please let me know if i can provide more information to find a solution.

               -+>Patrick
0 Kudos
Copyright © 2024 Khoros, LLC