Required INI settings
Components used:
ZyXEL ZyWALL USG 50 a firewall supporting 3 isolated networks with 180Mbps NAT throughput
Netgear GS748TP a switch supporting POE, VLANs and Gigabit Ethernet
Engenius EAP350 access points supporting POE, VLANs and Gigabit Ethernet
DNS Redirector software on one Windows server (could be Active Directory for the internal network), for splash page and Internet filtering on the guest network
Configure the firewall to use unique ports in LAN1 and LAN2. The P3 (LAN1) port then becomes VLAN2 in the switch, while the P4 (LAN2) port becomes VLAN4. In this example we configured the following IPs...
- P3 (LAN1) IP of and DHCP range of to 199
- P4 (LAN2) IP of and DHCP range of to 199 can use any IP scheme you like, but ensure the LAN1 interface is different than the LAN2 interface.
Set the LAN2 DHCP scope to provide as the only DNS server. Create firewall rules to allow only HTTP (TCP port 80) and DNS (UDP port 53) from LAN2 (any) to LAN1 ( This allows public wireless clients to reach only the IIS sites and the DNS Redirector service on the server.
Configure all the access points while the switch is still in a flat network (no VLANs) mode. Since each AP ships with the same default IP you'll need to configure them one at a time, because the switch supports POE on every port there is no need to use the wall-wort power adapter that comes with the AP, just plug in the Ethernet cable. Plug your laptop into a switch port and temporarily set your laptop to use a static IP within the same range as the factory default of the AP, use for the subnet mask and leave default gateway and DNS blank.
Visit the default IP of the AP in a browser, and configure as follows...
- Update to the latest firmware available
- Reset the AP to factory defaults, wait for the AP to reboot
- Set the operation mode to United States (or your own country)
- Set the AP to have it's own static IP within the LAN1 interface, but not within the DHCP range
- Set two SSIDs...
   - in VLAN2 will be your internal-private network with WPA2
   - in VLAN4 will be the wide-open network for guests and also have station separation
- Remember that each of your APs should have a unique IP address, and a unique wireless channel, but all the other settings (names of the SSID, WPA2 key, etc.) should be identical in order to support clients roaming between access points as they move about your building.
- Set the management VLAN to 2.
Go to Save/Reload and wait for the AP to reboot, then go on to configure the next one. When this AP comes back up, you probably won't be able to reach it at the new IP you just set, this is because it's IP traffic is now tagged with VLAN2 and we haven't configured the switch to support VLANs just yet.
Configure the switch using the web-based interface. Give the switch a static IP address (within the LAN1 interface, but not within the DHCP range). Enable the VLAN 802.1Q Advanced option. Configure ports where the APs are plugged in to accept traffic tagged with VLAN2 and VLAN4. Other ports should be set to un-tagged traffic within just one particular VLAN.
Add any IPs you don't want to have pass through the splash page to the authclients.txt file.

DNS Redirector | Legal Information | 2003-2020