Remote AP function - howto get it running...

Mario
Mario Posts: 106  Ally Member
Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
edited May 21 in Wireless
Hi

Does anyone have experience with the new remote AP function?
I am testing it out using a WAC500 and so far I have noticed two specific behaviours:
1. the CAPWAP ports were not added to the WAN to Device group. I solved this by manually adding "CAPWAP-DATA" and "CAPWAP-Control" to the "Default_Allow_WAN_To_ZyWALL" group.

2. the access point did not connect to the firewall at the remote site. Via SSH I could see that the CAPWAP server was not set up correctly.
(The admin login is the same as for the firewall).
ssh [IP of accesspoint]
Router> show capwap ap ac-ip
AC IP: auto
To configure the address the following commands are necessary:
configure terminal
capwap ap ac-ip [WAN IP of your Firewall]
write
reboot

After that the AP was registered in the firewall.
So far I have not been able to do any performance tests, that will be my next task.

Maybe this information will help someone. Zyxel can also check whether the initial setup needs to be improved.

Thanks
Mario


Accepted Solution

  • jonatan
    jonatan Posts: 188  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓
    Hi, I recently set up Secure Wifi on a WAC 500H point.

    Did it according to the instructions https://support.zyxel.eu/hc/en-us/articles/360021358260-Secure-WiFi

    The tunnel is working. Clients connected to the point via WIFI received addresses from DHCP from the Central Office.

    The only rule was added to the Firewall Source -LAN Subnet Destination Lan Subnet, without it, only the gateway was available to clients, and access to the local resources of the central office was blocked.

All Replies

  • jonatan
    jonatan Posts: 188  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓
    Hi, I recently set up Secure Wifi on a WAC 500H point.

    Did it according to the instructions https://support.zyxel.eu/hc/en-us/articles/360021358260-Secure-WiFi

    The tunnel is working. Clients connected to the point via WIFI received addresses from DHCP from the Central Office.

    The only rule was added to the Firewall Source -LAN Subnet Destination Lan Subnet, without it, only the gateway was available to clients, and access to the local resources of the central office was blocked.

  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited August 2021
    Hi Jonatan,

    We've also provided a complete setting guide in our gateway's handbook, you can refer to page 653 to page 657 for configuration process.

    https://download.zyxel.com/USG_FLEX_100/handbook/USG FLEX 100_ZLD5.00_Handbook.pdf

    In the handbook, you can also see other use cases of Gateway functions with detail configuration process.

    Best Regards,
    Richard
  • Mario
    Mario Posts: 106  Ally Member
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
    Thank you fro your feedback.
    The article from zyxel.eu looks great, but at least the adding of the services wasn't working as described in the gui:
    I had to do this manualy.




  • jonatan
    jonatan Posts: 188  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary

    My device has the firmware V5.02(ABW.0)ITS-WK28-r100674 installed.

  • jonatan
    jonatan Posts: 188  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary

    Hi.
    There is nothing new about Secure WIFI in the manual. Question why is traffic from clients to the central office network blocked? In the Central Office, the address pool is 192.168.0.0 / 24, an employee from a remote office receives the address 192.168.0.55 from the DHCP server via Secure WIFI. Packets reach only the gateway 192.168.0.1, other addresses are not available - the default Firewall blocking rule is triggered.

  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited August 2021
    Hi @Mario

    For the wording in the Remote AP setting page, this should be a wording issue, actually controller add a new firewall policy. (Attach as the screenshot below), so don't worry and there's no need to add additional firewall rule or change service group




    we'll correct the wording it in the near future.

    Hi @jonatan

    I use a default configuration on my security gateway, the devices connecting to remote AP is able to ping Ethernet devices in the LAN side.
    I've send the private message to you for further investigation, please check it, thanks!

    Best Regards,
    Richard
  • Mario
    Mario Posts: 106  Ally Member
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
    Remote AP works great, but I had also create a Lan1 to Lan1 rule to get it running.


  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    @Mario

    Glad to here the remote AP works good in your case!

    Could you please check the private message? I'd like to check your configuration file to see your configuration.
    Since in our local test we think the Lan1 to Lan1 firewall rule is unnecessary for data traffic.

    Best Regards,
    Richard
  • jonatan
    jonatan Posts: 188  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary
    Hi, I sent the configuration file in a private message.




  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited August 2021
    @jonatan @Mario

    For the reason why you need to add another firewall rule on the gateway is because:

    By default gateway provides a default "LAN_Outgoing" policy, where traffic from LAN to any is allowed. Through this policy, we don't need further setting to let client connecting to Remote AP access other devices in the LAN subnet.

    However, in Jonatan's case, this firewall policy is separated into other customized policies, but missed the LAN-to-LAN part. Therefore, it's required to add this new entry for allowing this traffic.

    As a more detail explanation, When gateway receives a packet from Remote AP, it will change the MAC address of this packet and forward it to the actual LAN device -- this is the point where the firewall policy engage in.

    Best Regards,
    Richard