[NEBULA] Possible to create guest WiFi with only internet access?

Snohetta Posts: 2  Freshman Member
edited April 2021 in Nebula

For a customer i have setup a NSW100-28P (nebula) Switch and a NAP102 (nebula) accesspoint.
There is also a Fortinet firewall between Internett and the NSW.

Now i wonder can i create in Nebula Control Center a additional WiFi network for guest user that can ONLY access internett from this Wifi? I guess this has to be VLAN`s, but can i create that only for the switch and AP?

Port 1 on NSW is connected to Fortinet firewall, Port 2 on NSW is connected to AP, reminder port on NSW is connected to computers, printers and so.



  • Zyxel_Barney
    Zyxel_Barney Posts: 79  Zyxel Employee
    Hello Snohetta,

    Welcome to the Nebula Forum!

    There are quite a lot of ways we can implement a Guest network.

    Here are two guides that are currently available:
      For a more in-depth guide about guest networks using VLAN, click here.
      For a simpler guide about guest networks using L2 Isolation, click here.

    Both methods ensures that your wireless clients accessing your Guest SSID can only access the Internet.

    If you have further questions or need assistance, feel free to let me know!

    Barney Gregorio

  • Iwannaquitthegym
    Iwannaquitthegym Posts: 23  Freshman Member
    Thanks for that @Nebula_Barney !
    I think using the L2 isolation is really useful and pretty easy to set up. It also solved my old needs for a built-in DHCP in the access point to separate the guest VLAN from my intranet.  

    The in-depth guide looks good, especially when wired guest VLAN is also need it. BTW, the IP filtering on the NSW can also do the job to prevent the communication across VLANs, right? I have used that instead and works quite well for me.

    I also saw in another post something about Guest zone for LAN/VLAN and what I understood is that we won't need to set up firewall rules anymore to block the communication. Looking forward for that :)
  • Zyxel_Barney
    Zyxel_Barney Posts: 79  Zyxel Employee
    Hi @Iwannaquitthegym

    Glad you like the in-depth guide! 

    Using the NSW's IP Filtering feature instead of configuring the NSG's firewall policies is also a great solution. But this still relies on a VLAN-based solution as you need to classify guest subnet from your private subnet.

    An additional advantage to using IP filtering on the NSW would be to cut overhead out of your firewall.

    And just as you mentioned, there are plans to add a Guest network feature on the NSG. This allows you to easily create a network that has a pre-defined policy to only allow access to the Internet.

    Barney Gregorio
  • Iwannaquitthegym
    Iwannaquitthegym Posts: 23  Freshman Member
    Right, the L2 isolation works pretty well for simple guest WiFi deployments without having VLAN segmentation.

    Looking forward to the guest network on NSG.

  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    is the L2 as secure as vlan isolation?
  • Basdg
    Basdg Posts: 1  Freshman Member
    edited March 2018
    You have to isolate your guests from your corporate network with VLAN's. 

    But did you also wondering how to isolate and secure your guests for eachother? Apart from the network layer (f.e. guest isolation options in the AP), you can also secure the wireless transport layer. This can be done with Radius or a Unique WPA-2 key per user on the same Ssid (Private Pre Shared Key or PPSK). 

    The only thing you need to solve is the distibution of these Unique credentials per guest. Maybe we have to look for a PPSK Kiosk so guest can do self service.
  • Carlos4311
    Carlos4311 Posts: 11  Freshman Member
    in my opinion I think it should be almost same as safe, vlan is also a layer2 protocol and it too blocks traffic.
    I'm using L2 isolate right now and don't feel any different from setting a vlan and rules in router.
  • Zyxel_Barney
    Zyxel_Barney Posts: 79  Zyxel Employee
    Hi @FrankIversen ,

    It would be difficult to judge which solution would be more "secure". This is because the WLAN can already rely on SSID authentication as a preliminary security solution.

    There is also a slight issue where L2 Isolation does not completely filter broadcast traffic from the private LAN and guest WiFi. But this should not have much impact in a small network deployment.

    Another important factor to consider is that since the L2 Isolation method requires both SSID to use the same VLAN, it would be difficult (but not impossible) to apply different firewall policies between your private and guest clients.

    @Basdg ,
    I think you are referring to the NAP's Intra-BSS traffic blocking  feature!
    You can find this under AP > Configure > Authentication > <SSID name>.

    Barney Gregorio

Nebula Tips & Tricks