How to configure guest WLAN

Osto Posts: 4
First Comment
edited April 2021 in Nebula
I have a network with 2 NWA1123-AC-HD and a GS1920-24HP. I have also a windows server and a Fortigate firewall and other clients. I want that the guest can only have traffic to Fortigate and cannot access the server or other devices in internal network but the Windows server is also the DHCP Server.
How can I configure the AP/Switch that the guests can get IP from server (or from who ever) but dont have any other access to the server or other clients?

Thanks for your help.


  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Hi there, I think you could enable the L2 isolation in the SSID from the Authentication page, adding both the fortigate MAC address and the window server MAC adddress. Then, you could set 2 rules in Switch ACL, one to allow port UDP 68 from the Wireless network to the Window server and the second to block everything else between the same IP adresses.

    "You will never walk along"
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @Osto
    We advise to isolate the guest network as a individual VLAN subnet. Here is the configuration example. Please add any setting if needed.

    1. Ensure the NWA1123-AC-HD and GS1920v2 are online. Since there is VLAN trunking port of GS1920v2, we do not have to configure VLAN port on the switch.
    2. Go to Access Point > SSID overview, and configure the SSID name, enable the Guest Network, and edit the VLAN ID as 10.

    3. Since I did not have Fortigate firewall, I used ZYXEL USG to show the configuration.
    There should be two interfaces. One is LAN1 for AP and Switch management IP addresses, and another one VLAN10 is for Guest Network. Setup the DHCP relay as Windows server IP address in the VLAN10.

    4. Configure firewall rules on the Fortigate.
    The first rule is used to allow bootp port as 68 for Windows server.
    The second rule is usedto deny the guest network to access internal servers.
    The third rule is used to allow the guest network to access the internet.

    If you still have any questions about the configuration, it is welcome to post your configuration here and we can have a discussion.
    Hope it helps.

Nebula Tips & Tricks