Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CodeTron
New Contributor III

The best practice to separate guest network from internal LAN

What is the best way to separate a guest network from internal LAN to feed a guest WiFi AP?

I'm currently using a FG 90E box and dedicating a physical port (not part of a switch group) and put it in a zone with the option "Block intra-zone traffic" checked with a policy to allow traffic from this port to WAN

Or should I use a Vlan?

 

Thanks

 

  

4 REPLIES 4
dmcquade
New Contributor III

Assuming your internal LAN is wireless and you are sharing the same physical interface, create VLANs on the interface. Have the VLAN IP address be the routing address for each subnet. Have the wireless AP / Controller tag the traffic for each SSID matching the VLAN numbering on your Fortigate. This will give you the flexibility to create different access policies and security profiles. As long as you don't create a rule that allows one VLAN to access the other, you have separation.

 

HTH

d

CodeTron
New Contributor III

Since my guest network is attached to a physical port that is not part of the internal LAN and have it in a zone that doesn't allow internal traffic and has a policy to allow traffic to WAN only. is this sufficient or I should be using a Vlan on one of the ports instead?

 

ede_pfau
Esteemed Contributor III

So what do you need a zone for then? WiFi guest traffic already is seperated from (wired) LAN, that's it. I call that a DMZ...

The zone construct combines several ports (physical, WiFi, VLAN, VPN) into one logical interface, either to reduce the number of policies, to provide failover or to enable intra-zone traffic without policies ("security switch"). I can't really recognize any of this in your requirements.

 

If you plan to radio an internal SSID over the same AP then apply the 2-VLAN-recipe from @dmcquade. That's the best it can get.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
CodeTron
New Contributor III

Thanks

Labels
Top Kudoed Authors