====== Wireless Tutorial ====== This tutorial shows how an example scenario with three wireless access points are configured: * one public access point * one VoIP access point allowing only access to a VoIP server on LAN * one private access point allowing access to your entire LAN As the Internet Gate has the ability to configure up to three different access points on the same unit you can tailor different access points for different needs. ===== Public access point ===== On the [[web_gui:wireless_page|Wireless Settings page]]: * enable "Wireless enabled" (starts the wireless transmitter) * set "Wireless Mode" to "802.11G only" (for best performance) * set "Network Name (SSID)" to "Surfzone" (or suitable) * leave "Security" as "Disabled" * click "Apply" On the [[web_gui:network_page|Network Configuration page]]: * change AIR from "inside" to "isolated" * click "Apply" The "isolated" setting ensures that clients connected to AIR can only access Internet but none of your local LAN computers. Thus you can provide free wireless Internet access to guests without compromising your LAN security. ===== VoIP access ===== (Or any other solution there you want allow users to connect to Internet and only one of your local servers, but not your entire LAN.) On the [[web_gui:wireless_page|Wireless Settings page]]: * select "AIR2" * enable "Enabled" * set "Network Name (SSID)" to "VoIP" (or suitable) * select "Security": "WPA-PSK" (or suitable) * enter a suitable "WPA(2)-PSK Passphrase" * click "Apply" On the [[web_gui:security_profile|Security Profile page]]: * at "Additional rules" enter: | AIR2 | incoming user | pre | (daddr == 192.168.0.0/24) and (daddr != 192.168.0.10) deny | (Provided 192.168.0.10 is the address of the LAN server you want to allow access to.) This firewall rule ensures only 192.168.0.10 is accessible on your LAN for AIR2 clients, the rest of your LAN is still protected. ===== Private access point ===== On the [[web_gui:wireless_page|Wireless Settings page]]: * select "AIR3" * enable "Enabled" * set "Network Name (SSID)" to "Private" (or suitable) * select "Security": "WPA2-PSK" * enter a suitable "WPA(2)-PSK Passphrase" * click "Apply" Users connecting to this access point will have uninhibited access to all your LAN computers. Therefore WPA2 encryption is highly recommended. Using the above settings all connecting clients will have full access to Internet and all your LAN computers. Clients connected to AIR3 will however still be on a different subnet than those attached to ET0-ET3. If you want to bridge AIR3 to the same network as your LAN (thus AIR3 clients will be on the same subnet as ET0-ET3) select AIR3 "--> ET1" on the [[web_gui:network_page|Network Configuration page]]. For most applications routed vs bridged wireless-to-LAN connection is unimportant. However, if you experience communication problems between wireless and LAN clients you might try to bridge it using the "--> ET1" setting. As this access point allows anyone connecting (with the proper passphrase) full access to your LAN you might want to improve security using two additional safeguards: ==== Closed System ==== By enabling the "Closed System" setting it hides this access point from clients' autogenerated lists of access points. Users must enter the SSID manually into their wireless clients to gain access. ==== Access Control ==== By enabling "Access Control" you can enter a list of MAC addresses of clients allowed to connect. No other clients than those listed are allowed to connect to your access point. ===== Save & Reboot ===== In the above examples we used the "Apply" button on the [[web_gui:wireless_page|Wireless Settings page]]. To activate all these changes we need to click on "Save & Reboot" on that page, to save all settings permanently, reboot the unit, and initialize the wireless access point with the proper settings.