This article will outline how to create a separate Guest VLAN with only access to the Internet, not any other LAN subnets, on your TZ series SonicWall.

1. First, we need to create a new ZONE for this guest VLAN. Navigate to Network –> Zones and click ADD.
   

    

2. Give your new zone a friendly name and set the security type as Public. I also don’t like to enable any of the auto-generate rules for guest VLANs, that way I can add the specific firewall rules as needed myself.
   

3. Next, Navigate to Network –> Interfaces and Add a new Virtual Interface
   

4. Choose the Guest VLAN ZONE previously created, specify a unique VLAN tag number and provide the subnet address details for your new VLAN. I like to enable PING on this interface, at least for my testing period, and then I’ll turn it off once I know everything is working.
   

5. Now we need to create the DHCP scope for this new VLAN so that devices can get the propper IP address from DHCP. Navigate to Network –> DHCP Server and click ADD DYNAMIC to create a new scope.
   

6. Create a DHCP range as you see fit. Make sure you specify a DNS address under the DNS tab as well.
   

7. Lastly, we need to create a firewall rule that only grants traffic from this VLAN to the internet only (WAN interface), and not to any other LAN interface. This is why we did not have the system auto generate the firewall rules in step 2. So we can explicitly specify the access.

   Navigate to Firewall –> Access Rules and sort from Your Guest VLAN to WAN. Then click ADD.
   
   

8. For Internet Access Only, I create my rule with these settings on the first tab. The rest of the settings I stick with the default.
   

9. As you can see for my PING test, my device in my main VLAN (192.168.10.0/24) cannot access the guest VLAN (192.168.20.0/24) and Visa Versa.