This article describes how you bridge a WatchGuard Wifi into the internal network.
This is notexplicitly necessary but wanted by many customers.

The goal is to have clients connecting to a SSID in the same network as clients connected via cable.
This requires less Firewall Rules and less server configuration.

Before beginning we should remind us how a bridge works:

  • connectiong networks on layer 2
  • must have at least two members

Normally you want to have a DHCP-Server running on your Wifi.
If you bridge the wifi traffic into your lan however you would have two active DHCP-Servers in the same Broadcast Domain.
You do not want this.

The final setup will look something like this:

Setup

At first we start the policy manager and select Network > Configuration.
Here we create a new bridge.
It is important that you assign an IP Adress to the Bridge that is not within any of your existing networks.

I also configure the option “DHCP relay” and provide tge IP address of the DHCP-Servers in the target network.
This way DHCP Traffic will be turned into unicast and sent to the DHCP Server prior to traversal.
This way you reduce the amount of broadcast traffic reaching the target network.

 

When this is done we switch to the Interfaces.
Now we change the configuration of an unused physical Interface on the Firewall to be type “Bridge” and make it a member of the bridge we created.

DO NOT YET CONNECT THE NETWORK CABLE!
THE CONFIG IS NOT YET SAVED!
If you are not using an unconfigured interface and already connect the cable you can cause serious network issues!

Now we choose Network > Wireless in the Policy Manager.
Here we konfigure one of the (non guest) access points, activate “Enable wireless bridge” and select the bridge interface we created.

Now we save the configuration and connect a network cable from the bridge interface to the switch.
Clients connecting to this SSID should not get an IP address from the LAN segment.

Cheers,
Ori