standalone zoneflex 7372 - private / public wifi - pfsense firewall - cisco catyalst 3560 switch

  • 1
  • Question
  • Updated 1 year ago
just got my first ruckus access point ZF7372, would like to set up private wifi for family, and public wifi for guests. 

    have Dell Poweredge 2950 Dual Xeon 5160 3GHz 8GB running pfSense Firewall 
with 6 x gigabit NICs and cisco catyalst 3560 switch. 

any suggestions how to accomplish this?  what is best practices on connecting the ZF7372 to the network and separating the public/private wifis,   im assuming vlans set up in the switch, in the access point/ssids, and pfsense? kind of new to all this, eager to learn. 

current setup is  cable modem>pfsense wan>switch>ZF7372 
switch  is setup all ports vlan 1 default

does the standalone ap get trunked to the switch?
does the pfsense router get trunked to the switch?
Photo of Patrick

Patrick

  • 4 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Dionis

Dionis, AlphaDog

  • 69 Posts
  • 35 Reply Likes
Patrick, congratulations on your Ruckus AP. The configuration is actually pretty straight forward amd simple. In your pfsense create two virtual interfaces for vlans. IP them accordingly and make one your guest and one private. Pass those VLANs onto the switch. The port configured for the AP, make that a trunk port. Pass the native VLAN and make that the VLAN that will give the AP it's IP address, this may be the private network VLAN if you want to make your life easier. Then allow both, the VLANs for guest and for private on this port plus the native one if different to pss on this trunk port.

That's it, your infrastructure is built. Now, you can move on to configure the AP, that's pretty straight forward. When it gets to the point of assigning a VLAN to the WLAN area, select the VLAN you created for guess and private and apply them to it's corresponding WLAN.

Don't forget to secure your private network by preventing access to it from the guess network and to create your dhcp pools for each subnet on the pfsense.

Hope this helps.
Photo of Patrick

Patrick

  • 4 Posts
  • 0 Reply Likes
Dionis, thanks for the reply it has indeed helped.

      have a few more questions before i commit.
in the gui of the ap under ports
port 2 goes to the switch, and per your instructions i will set the switchport on the cisco to trunk, allowing the native vlan and the two wifi public/private vlans

 should i change the port 2 on the 7372 to trunk i assume to match the trunk setting on the switch?

should i change;
                          
   Packet Forward
   802.1X
   VLAN   
   Insert DHCP Option 82
   Client Fingerprinting

would you please explain;  UNTAG ID, and members for the above VLAN setting.

is it best practice to put all my devices on the same management VLAN? and add the mgt vlan to the trunk?
ie. - pfsense router firewall/cisco switch/wireless AP

also do any changes need to be made in>
Administration :: Management

Controller Discovery Agent (LWAPP)
Cloud Discovery Agent (FQDN)
Controller Address
  
TR069 / SNMP Management Choice

as I have no zone director?



thank you
                -+>Patrick
(Edited)
Photo of Dionis

Dionis, AlphaDog

  • 69 Posts
  • 35 Reply Likes
Ok, first, only change client fingerprinting, if you want to have clients OS identified and such, no change for dhcp option 82 and 802.1x but do change the VLAN to the ine that correspond to that network.

Don't change the physical port on the AP and leave it as default. By adding the VLAN to the WLAN you are already doing this.

No changes to zone director area. Untagged means it won't be passed forward, it stays there as access only (in the simplest way I can explain it).

Management changes could include the port to access the AP and secured or unsecured access and things like that. Also user and password to manage the AP. In your case, no SNMP or any of that.
Photo of Patrick

Patrick

  • 4 Posts
  • 0 Reply Likes
ok thanks , the issue was the dhcp server, once i stopped on all interfaces and brought back up, ip assignment took place on the virtual interfaces,now everything is working as expected.
Photo of Dionis

Dionis, AlphaDog

  • 69 Posts
  • 35 Reply Likes
Glad everything is working.  Let us know if you need anything else.  Enjoy your Ruckus AP :-)
Photo of Patrick

Patrick

  • 4 Posts
  • 0 Reply Likes
Hello , 
           this is not really ruckus related , i asked for some help in the pfsense forum with no replys.

I have the same setup;
                                     cable modem >> pfsense wan interface
                                     pfsense LAN interface >> Cisco 3560 switch
                                     Ruckus 7372 >> Switch
have recently come across a cisco 2851 router 2 7960 ip phones, and 10 7920 wireless ip phones

could use some help getting them online.
   funny story , when i first got the router and phones, i had them connecting to the router, and they could all call each other by extension, even got as far as registering the call manager to flowroute.  and then the router lost power, and the config was not saved.




  thanks, 
               Patrick

btw ruckus is awesome, i watched this video on beamforming, antennas and waves.  
https://www.youtube.com/watch?v=kcIkgyRGFQE
awesome technology and company