What is the best way to separate a guest network from internal LAN to feed a guest WiFi AP?
I'm currently using a FG 90E box and dedicating a physical port (not part of a switch group) and put it in a zone with the option "Block intra-zone traffic" checked with a policy to allow traffic from this port to WAN
Or should I use a Vlan?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Assuming your internal LAN is wireless and you are sharing the same physical interface, create VLANs on the interface. Have the VLAN IP address be the routing address for each subnet. Have the wireless AP / Controller tag the traffic for each SSID matching the VLAN numbering on your Fortigate. This will give you the flexibility to create different access policies and security profiles. As long as you don't create a rule that allows one VLAN to access the other, you have separation.
HTH
d
Since my guest network is attached to a physical port that is not part of the internal LAN and have it in a zone that doesn't allow internal traffic and has a policy to allow traffic to WAN only. is this sufficient or I should be using a Vlan on one of the ports instead?
So what do you need a zone for then? WiFi guest traffic already is seperated from (wired) LAN, that's it. I call that a DMZ...
The zone construct combines several ports (physical, WiFi, VLAN, VPN) into one logical interface, either to reduce the number of policies, to provide failover or to enable intra-zone traffic without policies ("security switch"). I can't really recognize any of this in your requirements.
If you plan to radio an internal SSID over the same AP then apply the 2-VLAN-recipe from @dmcquade. That's the best it can get.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.