WLAN Controller

Using a SonicWALL NSA as a WLAN Controller

Contents
PlacingaSonicWALLNSAinaNetworkSolelyforWLANManagement.............................................................1 DeploymentSteps...............................................................................................................................................1 UsingtheSonicWALLNSAasaWLANController ...............................................................................................2 . ConfiguringtheUpstreamSonicWALLNSA.............................................................................................3 ConfiguringtheWLANControllerSonicWALLNSA.....................................................................................5 OtherConsiderations..................................................................................................................................5

Placing a SonicWALL NSA in a Network Solely for WLAN Management

The SonicWALL NSA platform is a full UTM firewall, but is also fully capable of centrally managing SonicPoints, SonicWALL wireless access points. While many customers use the SonicWALL NSA as their primary gateway to the Internet, as well as for WLAN functionality, replacing the existing gateway appliance is not always feasible. In that scenario, a SonicWALL NSA can be dropped into an existing network with minimal effort, so as to perform centralized WLAN management. The end result is simplified management of the wireless environment, including wireless IDS scans, easy provisioning of SonicPoints, and bandwidth management of WLAN users. The SonicWALL NSA further augments wireless security by providing content filtering, wireless guest services, and deep packet inspection for malware, attacks, and other threats.

Deployment Steps
In the following scenario, a SonicWALL NSA is the primary gateway device (the upstream appliance), and a SonicWALL NSA 2400 is the WLAN controller (the downstream appliance). Please note, while we are using a SonicWALL NSA as the upstream appliance, this could be another gateway device that is capable of routing. You may still use the following example as guidance if you have a different gateway appliance. While it is possible to leave the default NAT config on the downstream appliance, it is usually not desirable to double-NAT traffic in most networks. The SonicWALL NSA, by default, is configured for a many-to-one NAT out of the WAN interface. Using NAT on the downstream appliance also means all wireless will be seen as using the same IP address. This can be problematic when uniqueness is needed for things like per-user logging, SSO, etc. We will set the downstream SonicWALL NSA in route mode, where traffic will simply be routed, and not be subject to double-NAT. Review the following diagram and refer to it for the setup process.

Using the SonicWALL NSA as a WLAN Controller

We will configure the downstream SonicWALL NSA 2400 to have a WLAN network of 192.168.6.0/24. The SonicWALL NSA 2400 WAN interface will connect to the LAN side of the upstream SonicWALL NSA. Optionally, you could attach the appliance acting as the WLAN controller to something other than the LAN zone, such as a DMZ zone. Routing traffic from the downstream SonicWALL NSA to a zone other than the LAN on the upstream SonicWALL NSA allows you to create firewall rules to further restrict network access, if so desired. In networks where a central router is used internally, configuration will need to be done on that router(s), as well as on the upstream firewall.

Configuring the Upstream SonicWALL NSA Create address object(s) of the network(s) for the downstream SonicWALL NSAs WLAN subnet(s).

Create an address object for the WAN IP address of the downstream SonicWALL NSA.

Create a route policy on the upstream SonicWALL NSA, so it can route traffic back to the downstream SonicWALL NSA. Create a route policy for each network belonging to the downstream SonicWALL NSA.

This is how the route policies should appear.

Configuring the WLAN Controller SonicWALL NSA The configuration of this appliance follows suit with almost any other SonicWALL NSA appliance performing WLAN functionality, with one small exception: disabling the custom NAT policies. First, configure the WLAN policies for your environment. For assistance in how to configure the WLAN, virtual access points, and other wireless settings, please refer to the SonicOS Administrators Guide and/or other Tech Notes available at www.sonicwall.com Navigate to NAT Policies and select the radio button for Custom Policies. Disable the custom NAT policies that have X1 (which is our WAN) as the outbound interface. This causes all traffic sent out of the X1 interface to simply be routed, and not subject to NAT.

Other Considerations Use managed switches whenever possible. Managed switches will reduce or eliminate physical wiring changes necessary in deployment. The above scenario used static routes; consider the use of RIP/OSPF to learn routes between upstream and downstream firewalls. It is possible to use a central DHCP server and allow broadcast traffic to and from the SonicWALL NSA WLAN controller.

Author: Rob Andrews Edited by Matt Harvey Last Edited: 1/4/2010