About AP Station Isolation

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/wireless/ap_station_isolation_c.html

When you configure an SSID for your AP device, you can optionally enable station isolation. The station isolation setting enables you to control whether wireless clients can communicate directly to each other through the AP device. Station isolation prevents direct traffic between wireless clients that connect to the same SSID on the same radio. Station isolation does not prevent direct traffic between wireless clients that connect to the SSID on different AP devices, or between wireless clients that connect to different radios on an AP200 device.

We recommend that you enable station isolation for SSIDs on AP devices that provide a wireless guest network for wireless clients that do not trust each other.

Station Isolation for a Single AP Device

To enable station isolation on an AP device, select the Enable station isolation check box in the SSID settings.

For more information, see Configure WatchGuard AP Device SSIDs.

Station Isolation for Multiple AP Devices

When station isolation is enabled on a single AP device that uses the same SSID as another AP device, traffic can still pass between wireless clients that are connected to other AP devices. To effectively implement station isolation for an SSID that is used by more than one AP device, you must also make sure that all traffic between your AP devices goes through the XTM device. The XTM device can then apply policies that support your station isolation settings to the traffic.

To implement station isolation for more than one AP device, you must:

1. Add a VLAN and configure it to apply firewall policies to intra-VLAN traffic.
   To make sure that the same IP address pool is used for wireless clients that connect to the SSID on any AP device, you must configure a VLAN. For wireless roaming to function correctly, all SSIDs must be on the same network. When you configure the VLAN to apply policies to intra-VLAN traffic, the XTM device applies firewall policies to the VLAN traffic from one interface with the destination of the same VLAN on another interface.
2. For each AP device, configure one VLAN interface to manage untagged VLAN traffic.
   Or, you can enable management VLAN tagging in the AP device configuration and select a VLAN ID to use for management.
3. Configure the SSID settings to enable station isolation.
   It is not necessary to enable VLAN tagging in the SSID settings if the VLAN interfaces are configured to manage untagged traffic.
4. Connect each AP device directly to a VLAN interface on the XTM device.
   This ensures that all traffic between AP devices goes through the XTM device.

Because the default packet handling policy automatically denies traffic between AP devices on two different interfaces, you do not have to create a policy to explicitly deny that traffic. For example, if you configure a VLAN in the Optional security zone, the XTM device automatically denies packets between the two interfaces as unhandled packets because they do not match any of the configured firewall policies. To prevent traffic between AP devices, make sure that you do not add a policy that allows traffic from Optional to Optional.

You can also enable VLAN tagging in the SSID and configure the VLAN interfaces to manage tagged traffic, but VLAN tagging is not required for station isolation. If you enable VLAN tagging, you must configure two VLANs: one for tagged SSID traffic and one for untagged management traffic. Or, you can enable one VLAN and configure the AP to enable management VLAN tagging for that VLAN in the AP device configuration.
For more information, see Configure VLANs for WatchGuard AP Devices.

Example — Station Isolation and Roaming

This example shows how to implement station isolation for a wireless guest network with two AP100 devices that use the same SSID.

Step 1 — Configure the VLAN

First, configure the VLAN and VLAN interfaces for your AP devices.

1. Create a VLAN to apply VLAN tagging to traffic to an SSID.
   For example, the VLAN could have these properties:
   • Name (Alias) — AP100-Guest
   • VLAN ID — 20
   • Security Zone — Optional
   • IP Address — 10.0.20.1/24
   • DHCP Server Address Pool — 10.0.20.10 to 10.0.20.100
   • Apply firewall policies to intra-VLAN traffic — Enabled

2. Configure a VLAN interface on the first AP device.
   For example, the first VLAN interface could have these properties:
   • Interface Name — AP100-1
   • Interface Type — VLAN
   • Send and received untagged traffic for VLAN AP100-Guest (10.0.20.1/24)

3. Configure a VLAN interface on the second AP device.
   For example, the second VLAN interface could have these properties:
   • Interface Name — AP100-2
   • Interface Type — VLAN
   • Send and received untagged traffic for VLAN AP100-Guest (10.0.20.1/24)

For more information about how to configure a VLAN, see Define a New VLAN.

Step 2 — Configure the SSID

Next, enable station isolation in the SSID settings.

1. Add or edit an SSID for your wireless guest network.
   For this example, we named the SSID "AP100-Guest".
2. Select the Enable station isolation check box.

Because the AP-Guest VLAN in this example is an untagged VLAN, you do not have to enable VLAN tagging in the SSID settings.

For more information about SSID configuration, see Configure WatchGuard AP Device SSIDs.

Step 3 — Connect the AP Devices to the VLAN Interfaces

After you configure the VLAN interfaces and SSID settings:

1. Connect the AP devices to the VLAN interfaces.
2. Discover and pair each AP device.
3. Configure both AP devices to use the SSID you configured.

For more information about discovery and pairing, see WatchGuard AP Device Discovery and Pairing.

About This Example

This configuration example prevents direct wireless traffic between wireless clients that connect to the AP100-Guest SSID. The two main components of this configuration are:

• Station isolation — The station isolation setting in the SSID makes sure that wireless clients that connect to the same radio from cannot connect directly to each other.
• VLAN — The firewall and VLAN configuration make sure that traffic cannot pass between wireless clients that connect to the AP100-Guest SSID on different AP devices.

This example shows how to configure station isolation for two AP devices. To add a third AP device, configure another VLAN interface to handle untagged VLAN traffic for the defined VLAN. Then, connect the AP device to that VLAN interface and configure it to use the defined SSID.

See Also

Configure WatchGuard AP Device SSIDs

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base

© 2014 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.