I have a client with a 7005 controller and a handful of APs. He wants a Guest network that is internet only, without a cert based captive portal, with internal controller based DHCP. The client has no public addresses. Everything on his network is a private address space. He has no access to the switches and router (no credentials, and no support contract).
I can set up a dhcp scope for Guest, create a new vlan on the controller, src-nat it, and build an open wlan for Guest users. Guest users connect, and get an appropriate IP from the new pool. The issue is the Guest users have access to the controller and the rest of the internal network.
I'm struggling with how to create a new User Role/Firewall Policy that prohibits access to the internal network, which is in the same address space as the controller.