Setting up an "internet-only" WiFi AP on a physical interface/port.
We have a TZ350, without the built-in wireless option. I wanted to provide internet access via Wi-Fi for customers, but wanted to make sure that customers cannot access devices LAN. I figured that the best way to do this was to connect the AP to the X2 port (which I was not using for anything else.) I then planned to configure the X2 port to only have access to X1 (WAN), and no devices on the X0 interface (the LAN that all other "employee only" devices are connected to.) After going through the steps from several guides and videos I found online, I could not get this to work for some reason. Most of these videos suggested that a new virtual interface/VLAN be created for the wireless users. Eventually, I created a new Zone for wireless users, and unchecked the boxes to copy access rules. I assigned the zone to X2. I also assigned a static IP address to X2, along with a dynamic DHCP pool for X2. I then created a new rule that grants X2 access to the WAN interface (X1). I _did not_ create a new virtual interface/VLAN, as this appeared to be unnecessary. This seems to be working. A laptop connected to the WiFi AP can access the internet, but cannot “see” or ping anything on X0. I included pictures to clarify what I did. The wireless devices also appear to be obtaining DHCP leases from the pool that's assigned to X2.
Does anyone see any potential problems with this setup? Will this configuration provide suitable security to prevent wireless uses from gaining access to the X0 LAN?
This is the first time I have tried to configure a complex router. Constructive input and advice are therefore