The best practice to separate guest network from internal LAN

Forum|Forum|8 years ago
February 13, 2018
2 replies
19221 views

What is the best way to separate a guest network from internal LAN to feed a guest WiFi AP?

I'm currently using a FG 90E box and dedicating a physical port (not part of a switch group) and put it in a zone with the option "Block intra-zone traffic" checked with a policy to allow traffic from this port to WAN

Or should I use a Vlan?

Thanks

VLAN

dmcquade

New Member

Assuming your internal LAN is wireless and you are sharing the same physical interface, create VLANs on the interface. Have the VLAN IP address be the routing address for each subnet. Have the wireless AP / Controller tag the traffic for each SSID matching the VLAN numbering on your Fortigate. This will give you the flexibility to create different access policies and security profiles. As long as you don't create a rule that allows one VLAN to access the other, you have separation.

HTH

d

CodeTronAuthor

Explorer II

Since my guest network is attached to a physical port that is not part of the internal LAN and have it in a zone that doesn't allow internal traffic and has a policy to allow traffic to WAN only. is this sufficient or I should be using a Vlan on one of the ports instead?

ede_pfau

SuperUser

So what do you need a zone for then? WiFi guest traffic already is seperated from (wired) LAN, that's it. I call that a DMZ...

The zone construct combines several ports (physical, WiFi, VLAN, VPN) into one logical interface, either to reduce the number of policies, to provide failover or to enable intra-zone traffic without policies ("security switch"). I can't really recognize any of this in your requirements.

If you plan to radio an internal SSID over the same AP then apply the 2-VLAN-recipe from @dmcquade. That's the best it can get.

CodeTronAuthor

Explorer II

Thanks

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded