We are setting up a wireless network with AP 7632s. We will have one of the APs as a virtual controller. As per the IP plan, we will be using the 10.1.5.0/24 range and VLAN 5 for all user devices needing internet access. This also goes for Guest Wi-Fi users who connect to the Guest SSID. All Wi-Fi clients get IP addresses from the central DHCP server. This is all working now. But the problem is that there is no restriction for guests. They can access the internal network.
What is the best way to restrict the guest users on this SSID so they can only access the internet and nothing else on the internal network? Is there a way to set the next hop of these users to a default route to the firewall?