Suppose you want to create a separate wireless network for guests or so that employees may access the Internet with their personal devices. Devices on this separate network should only be able to access the Internet and not be able to access any internal resources. I have not seen this documented anywhere, so I am going to share. There are several steps, but the process is relatively painless.
Start by creating a New VLAN under Configuration > Advanced > Network Objects > VLANs. Choose a VLAN numeral that is not being used. I chose 42.
Now let’s create a New DHCP server for the new guest network under Configuration > Advanced > Network Objects > DHCP Server & Relay. Make sure you add public DNS servers to the DHCP server options.
Next create a New User Profile:
Fill in the following:
- Attribute Number must be a unique number.
- Select your new VLAN in the Default VLAN field.
- Under firewalls add a new IP Firewall policy
The New Firewall Policy should look something like this:
Now create a New SSID and reference the new User Profile.
The last step is a bit awkward because it must be individually performed for each access point. Unfortunately a bulk edit is not possible. Edit each AP and navigate to Optional Settings > Service Settings > DHCP Server & Relay. Add the DHCP server to each AP.
There you go! You now have a separate SSID that provides guest access (or whatever kind of access you want) to the Internet. Furthermore, this network does not leak any information about your internal private network since it uses its own IP addressing scheme, is firewalled off, and is configured to use public DNS servers.
If anyone has comments or if you find this information to be helpful, please let me know and/or follow me on Twitter.