NS-5gt, Trust-Untrust Mode
Internal net: 192.168.1.0/24, VLAN 10 192.168.2.0/24
I have a dual SSID VLAN Aware Access point
I have configured the guest SSID on VLAN 10. The office SSID is untagged
I configured a sub interface (trust.1) for VLAN 10 on my 5gt.
The guest clients get the proper address from DHCP (192.168.2.X)
With the sub-interface in the Trust zone, The guest clients are able to access the 192.168.1.0 network as well as the internet.
I want guests to access within 192.168.2.0 and the internet only.
I created a layer-3 zone called L3-Client_WiFi and I put the trust.1 sub-interface in that zone.
I created policies:
set policy id 4 from "Untrust" to "Trust" "10.2.59.0/24" "Any" "ANY" permit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2 from "Untrust" to "Trust" "Any" "VIP(untrust)" "Fire Alarm System" permit
set policy id 5 from "L3-Client_WiFi" to "Untrust" "Any" "Any" "ANY" nat src permit
set policy id 6 from "Trust" to "L3-Client_WiFi" "Any" "Any" "ANY" permit
set policy id 7 from "L3-Client_WiFi" to "Trust" "Any" "Any" "ANY" deny
Policy 4 is for a VPN connection, policy 2 is for an alarm system connection.
With these policies in place, the clients cannot access the internet. If I move the sub-interface back into the trust zone, they can access the internet as well as the office network.
Is anyone able to look at my configuration (attached) and suggest a change that will get the set-up functioning properly? Do I need to put my office SSID into a separate VLAN as well? Is the fact that the office LAN is untagged causing problems?