Remote AP function - howto get it running...
Ally Member
Hi
Does anyone have experience with the new remote AP function?
I am testing it out using a WAC500 and so far I have noticed two specific behaviours:
1. the CAPWAP ports were not added to the WAN to Device group. I solved this by manually adding "CAPWAP-DATA" and "CAPWAP-Control" to the "Default_Allow_WAN_To_ZyWALL" group.
1. the CAPWAP ports were not added to the WAN to Device group. I solved this by manually adding "CAPWAP-DATA" and "CAPWAP-Control" to the "Default_Allow_WAN_To_ZyWALL" group.
2. the access point did not connect to the firewall at the remote site. Via SSH I could see that the CAPWAP server was not set up correctly.
(The admin login is the same as for the firewall).
ssh [IP of accesspoint]
Router> show capwap ap ac-ip
AC IP: auto
To configure the address the following commands are necessary:
configure terminal
capwap ap ac-ip [WAN IP of your Firewall]
write
reboot
After that the AP was registered in the firewall.
So far I have not been able to do any performance tests, that will be my next task.
Maybe this information will help someone. Zyxel can also check whether the initial setup needs to be improved.
Thanks
(The admin login is the same as for the firewall).
ssh [IP of accesspoint]
Router> show capwap ap ac-ip
AC IP: auto
To configure the address the following commands are necessary:
configure terminal
capwap ap ac-ip [WAN IP of your Firewall]
write
reboot
After that the AP was registered in the firewall.
So far I have not been able to do any performance tests, that will be my next task.
Maybe this information will help someone. Zyxel can also check whether the initial setup needs to be improved.
Thanks
Mario
0
Accepted Solution
-
Hi, I recently set up Secure Wifi on a WAC 500H point.
Did it according to the instructions https://support.zyxel.eu/hc/en-us/articles/360021358260-Secure-WiFi
The tunnel is working. Clients connected to the point via WIFI received addresses from DHCP from the Central Office.
The only rule was added to the Firewall Source -LAN Subnet Destination Lan Subnet, without it, only the gateway was available to clients, and access to the local resources of the central office was blocked.
0
Master Member
All Replies
-
Hi, I recently set up Secure Wifi on a WAC 500H point.
Did it according to the instructions https://support.zyxel.eu/hc/en-us/articles/360021358260-Secure-WiFi
The tunnel is working. Clients connected to the point via WIFI received addresses from DHCP from the Central Office.
The only rule was added to the Firewall Source -LAN Subnet Destination Lan Subnet, without it, only the gateway was available to clients, and access to the local resources of the central office was blocked.
0 -
Hi Jonatan,
We've also provided a complete setting guide in our gateway's handbook, you can refer to page 653 to page 657 for configuration process.
https://download.zyxel.com/USG_FLEX_100/handbook/USG FLEX 100_ZLD5.00_Handbook.pdf
In the handbook, you can also see other use cases of Gateway functions with detail configuration process.
Best Regards,
Richard0 -
Thank you fro your feedback.The article from zyxel.eu looks great, but at least the adding of the services wasn't working as described in the gui:
I had to do this manualy.
0 -
Hi.There is nothing new about Secure WIFI in the manual. Question why is traffic from clients to the central office network blocked? In the Central Office, the address pool is 192.168.0.0 / 24, an employee from a remote office receives the address 192.168.0.55 from the DHCP server via Secure WIFI. Packets reach only the gateway 192.168.0.1, other addresses are not available - the default Firewall blocking rule is triggered.
0 -
Hi @Mario
For the wording in the Remote AP setting page, this should be a wording issue, actually controller add a new firewall policy. (Attach as the screenshot below), so don't worry and there's no need to add additional firewall rule or change service group
we'll correct the wording it in the near future.
Hi @jonatan
I use a default configuration on my security gateway, the devices connecting to remote AP is able to ping Ethernet devices in the LAN side.
I've send the private message to you for further investigation, please check it, thanks!
Best Regards,
Richard0 -
Remote AP works great, but I had also create a Lan1 to Lan1 rule to get it running.
0 -
@Mario
Glad to here the remote AP works good in your case!
Could you please check the private message? I'd like to check your configuration file to see your configuration.
Since in our local test we think the Lan1 to Lan1 firewall rule is unnecessary for data traffic.
Best Regards,
Richard0 -
0
-
@jonatan @Mario
For the reason why you need to add another firewall rule on the gateway is because:
By default gateway provides a default "LAN_Outgoing" policy, where traffic from LAN to any is allowed. Through this policy, we don't need further setting to let client connecting to Remote AP access other devices in the LAN subnet.
However, in Jonatan's case, this firewall policy is separated into other customized policies, but missed the LAN-to-LAN part. Therefore, it's required to add this new entry for allowing this traffic.
As a more detail explanation, When gateway receives a packet from Remote AP, it will change the MAC address of this packet and forward it to the actual LAN device -- this is the point where the firewall policy engage in.
Best Regards,
Richard1
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
