NWA110AX AP Guest Wifi

MickD Posts: 3
edited August 2022 in WirelessLAN
Just installed a number of the above APs and working well, we have gone for Nebula to configure them etc... but now i need to create a guest Wifi...

I've created a new SSID and enabled Guest Wifi option and added the MAC of our gateway.. but still the clients can get to our corporate network.. are there some other settings we need to change or something on the firewall etc?


All Replies

  • mMontana
    mMontana Posts: 1,207
    50 Answers 1000 Comments Friend Collector Third Anniversary
     Guru Member
    Well... the guest network is only on the APs. Not into switches and firewall.
  • MickD
    MickD Posts: 3
    Thanks for your reply... so how do you go about restricting access to the network via the AP? or is this not possible? what does the guest network option actually do if not to restrict access?

  • Zeus
    Zeus Posts: 4
    Friend Collector
    edited August 2022
    Well what you are essentially doing is splitting the wifi into two seperate SSIDs, only to then connect both SSIDs to the same router interface. Its like connecting two physical access points to the same router interface.
    What you probably would want to do is assigning the SSIDs to different VLANs, each with their own subnet and then prevent routing between the subnets.
  • MickD
    MickD Posts: 3
    Thanks for your reply... I thought the guest option stopped devices communicating, then enabling L2 isolation and add in the exceptions? I'm just not understanding how it works...
    we did have a Ruckus setup prior to the and I'm sure all we had to do was to enable the guest access mode and it just worked and only allowed traffic out onto the internet.. but I could be wrong..

  • Zyxel_Jay
    Zyxel_Jay Posts: 135
    5 Answers First Comment Friend Collector First Anniversary
     Zyxel Employee

    HI @MickD

    Thanks for sharing your experience on Zyxel community!

    When you enable Guest Network, the Layer 2 isolation and Intra-BSS traffic blocking is automatically enabled.

    Intra-BSS Blocking is clients can’t communicate with each other when connecting to the same SSID on the same AP.

    Layer-2 Isolation is clients can’t communicate with each other in the same subnet, only allow access to devices listed.


    We got your ticket and checked for your settings, because your corporate network subnet is different to wireless users. Thus, the wireless user to different subnet won’t be restricted.


    Per discussed, we’re thinking on the same way to suggest you can use NAT mode with firewall rule.


    NAT mode is to generate each client unique IP address from their own MAC, the subnet is using on AP only which can provide separated network from your whole topology so it is safety. You can use it without worries.


    Thank you