It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

How to Set Up Guest Access with Ticketing

  • Last updated on

When you configure a guest network, you can set up a login or ticketing system to temporarily grant access to guests. Before guests can access the network, they must enter a username and password from tickets that are assigned to them. The tickets expire after a set period of time.

Before tickets can be created, you must configure the ticketing system and set up ticket administrators. If the ticket administrator is located in a different network segment, you must also create a firewall rule to allow access to the ticketing web interface.

guest_access.png

Follow the instructions in this article to set up a guest network with ticketing.

Before You Begin

  • Ensure that the Barracuda NextGen Firewall X-Series has one unused network interface (Wi-Fi, Ethernet, or virtual, e.g., ath3, p3, or p3.100).
  • Identify the guest network that you want to use (e.g., 192.168.223.0/24).

Step 1. Set up the Guest Network Interface

You can use Wi-Fi or a wired network for guest access. Configure a static network interface or a Wi-Fi interface. In the Static Interface Configuration, ensure that you specify the following settings:

  • Network -– The guest network (e.g., 192.168.223.0/24).
  • Services to Allow – Select DNS Server.
  • Classification – Click Trusted.

Step 2. Enable the DHCP Server for Guest Network

To automatically assign IP addresses for guests, enable a DHCP server for the guest network.

  1. Go to the NETWORK > DHCP Server page.
  2. In the DHCP Server section, enable the DHCP server.
  3. In the Add DHCP Server Subnet section, configure the DHCP subnet. Ensure that you specify the following settings:
    • Beginning IP Address and Ending IP Address – The range of IP addresses to be assigned to clients. For example, if your guest network is 192.168.223.0 with a netmask of 255.255.255.0, set the Beginning IP Address to 192.168.223.10 and the Ending IP Address to 192.168.223.250. The IP address assigned to the network interface must not be part of the management network.
    • DNS Servers – The IP addresses of the DNS servers.
  4. Click Add Subnet. The guest network subnet appears in the DHCP Server Subnets section.

For more information on setting up a DHCP server, see How to Configure the DHCP Server.

Step 3. Set Up the Guest Network

If you configured the guest network on a wired interface, specify that the network uses ticketing for guest access.

  1. Go to the USERS > Guest Access page.
  2. In the Guest Networks section, select your guest network (e.g., 192.168.223.1/24) from the Network column.
  3. From the Type column, select Ticketing.
  4. For wired interfaces, click Add.
  5. Click Save. The network appears in the second Network table.

ticketing_page.png

Step 4. Set Up the Ticket Administrator

The ticket administrator can log into the ticketing system to create guest tickets but cannot log into the management interface of the X-Series Firewall.

  1. Specify the ticketing system login credentials.
    1. Go to the USERS > Guest Access page.
    2. In the Ticketing Administrator section, enter the username and password for logging into the ticketing system.
    3. Click Save.
  2. Ensure that ticket administrators have the following information:

Step 5. Add a Redirect Firewall Rule

Create a Network Object for the gateway IP address of the guest access network, and then add a Redirect to Service firewall rule.

Step 5.1 Create a Network Object
  1. Go to the FIREWALL > Network Objects page. 
  2. Click Add Network Object. The Add Network Object window opens.
  3. Enter a Name (e.g., GuestNetworkGW).
  4. In the Include Entries section, enter the Network Address of the gateway IP address of the guest network. The guest network gateway IP address is the IP address that you assigned to the guest network interface in Step 1 (e.g., 192.168.223.1).

    GW_IP_Network_Object_67.png

  5. Click Save.
Step 5.2 Add a Redirect to Service Firewall Rule
  1. Go to the FIREWALL > Firewall Rules page. 
  2. Click Add Access Rule.
  3. In the Add Access Rule window, configure these settings:
    • Action – Select Redirect to Service.
    • Name – Enter a name. 
    • Source – Select the network that the ticket admin's computer is located in (e.g., Trusted LAN Networks).
      Destination – Select the Network Object for the guest network gateway IP address (e.g., GuestNetworkAccess).

    Redirect_FW_GuestAccess_67.png

  4. Click Save
  5. Move the access rule above the BLOCKALL rule.

Step 6. (Optional) Configure the Login Page

On the USERS > Guest Access page, you can configure the page that is displayed to guests when they log into the network.

In the Login Page Options section, edit the Welcome Message and upload a Welcome Image. The image cannot be larger than 1 MB and must be in JPG, GIF, or PNG format. The suggested image size is 170 x 40 pixels.

Step 7. Create a PASS Access Rule for DNS Traffic

Create an access rule to always allow DNS traffic from the guest network to the Internet.

  1. Go to the FIREWALL > Firewall Rules page.
  2. Click Add Access Rule to create a new access rule.
  3. In the Add Access Rule window, enter a name for the rule. E.g.: GUEST-DNS-2-INTERNET
  4. Specify the following settings:

    ActionConnectionAdjust BandwidthSourceNetwork ServicesDestination
    AllowDefault (SNAT)InternetGuest NetworkDNSInternet

    GuestDNS-2-INTERNET.png
    To allow connections from the guest network to the Internet, the X-Series Firewall must perform source-based NAT. The source IP address of outgoing packets is changed from that of the client residing in the network to the WAN IP address of the X-Series Firewall, so the connection is established between the WAN IP address and the destination IP address. The destination address of reply packets belonging to this session is rewritten with the client's IP address.

  5. At the top of the rule editor window, click Save.

Step 8. Create a PASS Access Rule for Authenticated Users

Create an access rule to allow HTTP/S traffic from guest network users to the Internet.

  1. Go to the FIREWALL > Firewall Rules page.
  2. Click Add Access Rule to create a new access rule.
  3. In the Add Access Rule window, enter a name for the rule. E.g.: GUESTNET-2-INTERNET
  4. Specify the following settings:

    ActionConnectionAdjust BandwidthSource Network ServicesDestination
    AllowDefault (SNAT)InternetGuest NetworkHTTP+SInternet

    GuestNET-2-INTERNET.png

  5. In the rule editor window, click the ADVANCED tab.
  6. In the Valid for Users section, select All Authenticated Users and click +.user_access.png
  7. At the top of the rule editor window, click Save.

Because rules are processed from top to bottom in the rule list, ensure that the rule to allow DNS traffic is placed above the rule to allow users, and that both rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information, see Firewall Rules Order.

rules_order.png
After adjusting the order of the rules, click Save.

Next Step

For instructions on how to create tickets for guests, see How to Manage Guest Tickets - User's Guide.