Creating a Guest VLAN on a SonicWall TZ Series Firewall

This article will outline how to create a separate Guest VLAN with only access to the Internet, not any other LAN subnets, on your TZ series SonicWall.

 

  1. First, we need to create a new ZONE for this guest VLAN. Navigate to Network –> Zones and click ADD.
    SonicWall Add Zone

     

  2. Give your new zone a friendly name and set the security type as Public. I also don’t like to enable any of the auto-generate rules for guest VLANs, that way I can add the specific firewall rules as needed myself.
    SonicWall Guest VLan Interface

  1. Next, Navigate to Network –> Interfaces and Add a new Virtual Interface
    SonicWall Add Virtual Interface

  1. Choose the Guest VLAN ZONE previously created, specify a unique VLAN tag number and provide the subnet address details for your new VLAN. I like to enable PING on this interface, at least for my testing period, and then I’ll turn it off once I know everything is working.
    SonicWall Guest Vlan Settings

  1. Now we need to create the DHCP scope for this new VLAN so that devices can get the propper IP address from DHCP. Navigate to Network –> DHCP Server and click ADD DYNAMIC to create a new scope.
    SonicWall Add DHCP Scope

  1. Create a DHCP range as you see fit. Make sure you specify a DNS address under the DNS tab as well.
    SonicWall DHCP Scope Settings

  1. Lastly, we need to create a firewall rule that only grants traffic from this VLAN to the internet only (WAN interface), and not to any other LAN interface. This is why we did not have the system auto generate the firewall rules in step 2. So we can explicitly specify the access.

    Navigate to Firewall –> Access Rules and sort from Your Guest VLAN to WAN. Then click ADD.
    SonicWall Guest VLan Firewall Rule

  1. For Internet Access Only, I create my rule with these settings on the first tab. The rest of the settings I stick with the default.
    SonicWall Guest VLan Firewall Rule Details

  1. As you can see for my PING test, my device in my main VLAN (192.168.10.0/24) cannot access the guest VLAN (192.168.20.0/24) and Visa Versa.
    Ping Test

Facebook
Twitter
LinkedIn
Reddit
Email
Print

2 Responses

  1. unfortunately the screenshots are lost for the firewall rule set. I try to set up the same configuration but i can’t get internet connectivity on my public vlan and hoped to find the reason with your setup.

    1. I fixed the pictures, they are now showing correctly. Is your firewall rule setup the same as my example?

Leave a Reply

Your email address will not be published.

2 Responses

  1. unfortunately the screenshots are lost for the firewall rule set. I try to set up the same configuration but i can’t get internet connectivity on my public vlan and hoped to find the reason with your setup.

    1. I fixed the pictures, they are now showing correctly. Is your firewall rule setup the same as my example?

Leave a Reply

Your email address will not be published.