Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

11/30/2023 19 People found this article helpful 277,936 Views

Description

This article explains how to create a Guest VLAN in the TZ firewall, for guest users to access Internet only. Guest users will not be able to access any other Local network.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Create a zone for guest VLAN.

Navigate to Object| Match objects| Zone.
Add Zone|Name the Zone| Security type: Public.

NOTE: Do not enable any of the auto-generate rules for guest VLAN, that way we can add the specific firewall rule only for internet access. If communication is needed to any other network we need to create access rules accordingly for them.

Create a Virtual interface.

Navigate to Network| System| Interface.
Add Virtual interface|Select the Guest VLAN zone previously created.
Add a VLAN tag, provide static IP and subnet mask and enable ping.

Enable DHCP scope for newly configured VLAN Interface.

Navigate to Network| System| DHCP server.
Add Dynamic Scope|Enable Interface Pre-popolate| Select X0:V10
Go to DNS tab| Add DNS server.

Configure Guest VLAN zone to WAN zone access rule.

Navigate to Policy| Rules and policies.
Select Guest VLAN to WAN.
Add rule|Configure as shown in the image(Default config)| Save.

With the above config Devices connected to this GUEST VLAN zone will be able to access internet and communicate within Guest VLAN devices but cannot communicate with any other local devices.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Create a zone for guest VLAN.

Navigate to Manage| Interface| Zone.
Add Zone| Name the Zone| Security type: Public.

NOTE: Do not enable any of the auto-generate rules for guest VLAN, that way we can add the specific firewall rule only for internet access. If communication is needed to any other network we need to create access rules accordingly for them.

Create a Virtual interface.

Navigate to Manage| Network| Interface.
Add Virtual interface| Select the Guest VLAN zone previously created.
Add a VLAN tag, provide static IP and subnet mask and enable ping.

Enable DHCP scope for newly configured VLAN Interface.

Navigate to Manage| Network| DHCP server.
Add Dynamic Scope| Enable Interface Pre-popolate| Select X0:V10
Go to DNS tab| Add DNS server.

Configure Guest VLAN zone to WAN zone access rule.

Navigate to Rules| Access rules.
Select Guest VLAN zone to WAN zone.
Add rule| Configure as shown in the image(Default config)| Save.

With the above config Devices connected to this GUEST VLAN zone will be able to access internet and communicate within Guest VLAN devices but cannot communicate with any other local devices.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

Description

Resolution

Resolution for SonicOS 7.X

Resolution for SonicOS 6.5

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch