Skip to content

Create a Guest Wi-Fi Network

Guest Wi-Fi is a common pattern: separate SSID, separate VLAN, blocks access to internal LAN, optionally requires captive portal acceptance. Time-limited or voucher-based access common too.

Goal Topology

[Guest device] -> Guest SSID -> Guest VLAN (10.10.10.0/24)
                                    |
                                    v (firewall policy: allow internet, deny LAN)
                                  [WAN]

Guests can reach the internet but NOT the corporate LAN.

Steps

1. Create the Guest VLAN

See Add a VLAN Sub-Interface.

  • VLAN ID: e.g. 10.
  • Subnet: e.g. 10.10.10.0/24.
  • DHCP: enabled on the FortiGate for that VLAN.

2. Create the Guest SSID

See Create an SSID.

  • VLAN ID: 10.
  • Traffic Mode: Local Bridge typically.
  • Block Intra-SSID Traffic: Enable (clients can't see each other).
  • Security Mode: WPA2 Personal with PSK OR Captive Portal.

3. Create the firewall policies

Allow Guest → WAN (with NAT):

  1. Policy & Objects → Firewall Policy → + Create New.
  2. Source interface: guest-vlan.
  3. Destination interface: wan1.
  4. Source/Destination: all.
  5. Service: ALL.
  6. NAT: Enabled.
  7. Inspection: at minimum DNS + Web Filter (block malware).
  8. OK.

Block Guest → LAN (explicit deny):

  1. + Create New.
  2. Source interface: guest-vlan.
  3. Destination interface: internal (your LAN).
  4. Source: all.
  5. Destination: all (or your internal subnets).
  6. Action: Deny.
  7. Logging: All Sessions (so you see attempts).
  8. Place ABOVE any broader allow rules.
  9. OK.

4. (Optional) Create guest users with time-limited access

For voucher-style portal:

  1. User & Authentication → Guest Management (or User & Authentication → User Definition → create with expiration date).
  2. Set:
    • User TypeGuest.
    • Expiration1 day, 1 week, etc.
    • Username Format — auto-generated voucher codes.
  3. Print vouchers.

5. (Optional) Bandwidth-limit the Guest VLAN

Use Traffic Shapers — apply a per-IP cap on the Guest firewall policy:

  • Per-IP downlink: 5 Mbps.
  • Per-IP uplink: 2 Mbps.

So one guest can't saturate the WAN.

📸 Screenshot needed

Topology view (Security Fabric → Topology) showing the Guest VLAN separated from corporate LAN.

Verify

Connect a phone/laptop to Guest SSID: - Should get an IP from the Guest VLAN scope. - Should reach the internet (https://ifconfig.me). - Should NOT reach internal LAN (try pinging a known internal IP — should fail).

Common Issues

  • Guest can reach LAN. Block policy missing or below the broader allow. Reorder.
  • Slow guest WiFi. Bandwidth shaping too aggressive, or AP overloaded with both Guest + Corp on same radio. Consider dedicated AP for guest if heavy use.
  • Voucher system needs manual reset. Guests can re-use voucher codes. Generate single-use codes via user definition.