Hello Philip,
As for a starter, I'd recommend some separation in the backbone:
- one (or many) VLANs for internal users (based on architecture requirements, having things in order, and on scale - good to have just up to 100-200 devices in a broadcast domain, and literally - do employees need to see each other in a VLAN for just Internet access?),
- one VLAN (or many - VLAN pool for broadcast domain size control) for guests, separate than internal users VLAN ID(s).
Are there any limitations or requirements that would prevent you from doing this?
DHCP server should be configured for multiple scopes (subnets) then, and if in certain VLAN (VLAN 5 I assume), DHCP Relay/BOOTP Relay would have been configured on the gateway router. You can also utilize WiNG AP to work as DHCP server for guest subnets.
Besides VLAN-based devices separation, you can play with stateful firewall that can be role-based, alongside with L7 restrictions (Application Policy), URL white/blacklisting and URL filtering (based on Cyren's categorization of Internet resources). Sky is the limit.
For letting guest users reaching just Internet you can do it in several ways, for instance you can apply an ACL to either a user within a role-based firewall based on an SSID name which the guest connects to, or you can apply that ACL to the entire WLAN. This ACL would permit common ports like 80/443 and some e-mail protocols and deny internal subnets and all the other protocols. However, denying internal subnets can be also achieved on the gateway router that connects the VLANS altogether, while for the guest VLAN itself you are able to disable MU to MU communication on WiNG (or also prevent IP destination of that subnet in ACL).
Options are many, please let us know what route would you like to take so we could assist you further.
Hope that helps,
Tomasz
