Morning All,
We’ve got a client whose insisted they had a separate interface for guest Wireless traffic which had no access to the main Lan. They didn’t want to use a separate SSID with VLAN so it’s just a single AP connected to a separate interface (X2) they don’t offer wireless on the main Lan (X0) at all
They have now decided they’d like to get people with work devices connected the Lan using wireless occasionally however this means using VPN to connect back into the network. I suspect this would use a loopback rule but it’s not something I’ve come across before (It doesn’t currently work)
They use a DNS name of remote.domain.com to connect to the VPN while out of the office so I’d assumed a loopback rule would work but it doesn’t seem to want to connect.
Any thoughts?
Why not just either change the configuration of the WIFI network they have to access the LAN? Better yet, I’d recommend having one SSID for guest internet access (aka only a connection to the internet, with no access to internal resources) and another SSID for company owned devices you’d like to have access to your internal LAN. I suppose you could VPN back in from the guest wifi to gain access, but that sounds like an overly complex way (both in terms of configuration, and usability for the end user) to accomplish what the above suggestion would do.
If you DO want to add the ability to access the VPN from the Guest wifi, you should see the settings for that in the Zone configuration page that the guest wifi lives on. That’s how it’s set up in SonicOS 7 (and 6 too I believe) at least.
Edit: added more information.
A loopback NAT is going to be your best and most secure option here, you just need it to allow SSL-VPN traffic from X2 LAN to loopback.
Punching holes through from one LAN to another is far less secure, and goes against the whole purpose of keeping them separate.
I couldn’t agree more and I’ve been back and forth with the issue (even to the point of refusing the config) but I’ve been overruled. I much prefer a VLAN for guests
I was faced with this recently and decided everyone on Wi-Fi will be considered a guest. This is/was for a number of reasons…mainly because I was sick of people divulging the wrong passcode to guests (can’t fix ignorance and arrogance) and wanting to keep troubleshooting to a minimum if/when necessary. Being the one and only IT weenie, sometimes the position of KISS remains the best solution.
Thank you, I suspect I’ve not built the loop back correctly, I assumed this would be the answer but I think I need to recheck my config
Difficult to say without seeing it, but if you want any help, shoot me a screenshot and I’ll see if I can see anything!