Required INI settings
(for the DNS Redirector server in VLAN4)
DNSServerIP=[put a real DNS server here]
Components used:
Netgear FVS336Gv2 a firewall supporting 2 isolated networks with 60Mbps NAT throughput
Netgear GS108PEv2 a switch supporting POE, VLANs and Gigabit Ethernet
Engenius EAP350 access points supporting POE, VLANs and Gigabit Ethernet
DNS Redirector software on at least one Windows server, for splash page and Internet filtering on the guest network
1) Configure the firewall to use the DMZ port, this becomes the "second LAN" just for guest use. The DMZ port then becomes VLAN4 in the switch, while the normal LAN port becomes VLAN1. In this example we configured the firewall with the following IPs...
- LAN IP of and DHCP range of to 199
- DMZ IP of and DHCP range of to 199 can use any IP scheme you like, but ensure the LAN interface is different than the DMZ interface.
2) Configure all the access points while the switch is still in a flat network (no VLANs) mode. Since each AP ships with the same default IP we'll need to configure them one at a time, and because switch ports 1 through 4 support POE there is no need to use the wall-wort power adapter that comes with the AP, just plug in the Ethernet cable. Plug your laptop into switch port 5 and temporarily set your laptop to use a static IP within the same range as the factory default of the AP, use for the subnet mask and leave default gateway and DNS blank.
Visit the default IP of the AP in a browser, and configure as follows...
- Update to the latest firmware available
- Reset the AP to factory defaults, wait for the AP to reboot
- Set the operation mode to United States (or your own country)
- Set the AP to have it's own static IP within the LAN interface, but not within the DHCP range
- Set two SSIDs...
   - in VLAN1 will be your internal network with WPA2
   - in VLAN4 will be the wide-open network for guests and also have station separation
- Remember that each of your APs should have a unique IP address, and a unique wireless channel, but all the other settings (names of the SSID, WPA2 key, etc.) should be identical in order to support clients roaming between access points as they move about your building.
- Set the management VLAN to 1.
Go to Save/Reload and wait for the AP to reboot, then go on to configure the next one. When this AP comes back up, you probably won't be able to reach it at the new IP you just set, this is because it's IP traffic is now tagged with VLAN1 and we haven't configured the switch to support VLANs just yet.
3) Configure the switch using the Prosafe Plus Configuration Utility (this switch does not have a purely web-based interface running from a HTTP address). Ensure your laptop is set to obtain an IP automatically (DHCP) so the Netgear utility can discover the switch. Start by giving the switch a static IP address (within the LAN interface, but not within the DHCP range). Then Enable the VLAN 802.1Q Advanced option. Since the first 4 ports of the switch are POE, and these are the ones the APs are plugged into, configure these ports to accept traffic tagged with VLAN1 and VLAN4. The other ports will be set to un-tagged traffic within just one particular VLAN...
- Set ports in VLAN1
- Set ports in VLAN4
- Set PVID membership
Remember to press apply after each change of the config.
Unplug your laptop from the switch and...
- connect to the "internal" SSID, enter your WPA2 key, observe your laptop gets a 192.168.46.x IP.
- connect to the "guest" SSID, observe your laptop gets a 192.168.47.x IP.
Now that you've ensured your two networks are isolated, go back to the firewall config and set the DMZ network to hand out the DNS Redirector server IP of as the only DNS server via DHCP.

DNS Redirector | Legal Information | 2003-2020