wireless Access Points and VLANs

mat17
mat17 Posts: 45  Freshman Member
First Comment Friend Collector Fourth Anniversary
edited April 2021 in Security

Hi there,


I starting to set up the following configuration but I encounter many issues and probably need some help.


I try to set up 3 isolated SSID on the wireless access point:

- one which can reach both internet and a NAS

- one which can reach only internet

- one which cannot reach both internet and the NAS


I have:

- an USG310

- a switch GS1200-8HP

- a wireless controller NWA5123-AC-HD


from a physical point of view:

- the wireless controller is linked to the switch from it’s uplink port to the port 1 of the switch GS1200-8HP. This allow the wireless controller having the POE.

- this switch is connected from it’s port 5 to the port 3 of the USG.

- Nas is connected on the port 4 of the USG

- WAN is available from the port 2 of the USG.


From a VLAN point of view (Configuration > Network > Interface > VLAN)

3 VLANs have been defined on the USG with the following configuration:

- internal

- base port: ge3

- IP address: 192.168.(X/Y/Z).1

- sub-net: 255.255.255.0

- enable IGMP support (downstream)

- DHCP server

- 192.168.(X/Y/Z).2

- first DNS server: Zywall

- second DNS server: 1st from the ISP

- third DNS server: 2nd from the ISP

- default router: vlan (X/Y/Z) IP


Interface ge3 on the USG (Configuration > Network > Interface > Ethernet > port 3) is:

internal

interface name: ge3

port 3

LAN1

ip address: 192.168.1.1/255.255.255.0

DHCP Server: 192.168.1.2

default route: ge3 IP

enable IP mac binding for all IP addresses I want on this sub-net with an IP (192.168.1.x)


on the wireless access point, SSID 2 and 3 have respectively VLAN Y and VLAN Z SSID.

SSID 1 have still for now VLAN id 1. (if I change apply the VLAN X on the SSID 1, I cannot reach anything)


the port configuration in the switch is the following one:

IEEE 802.1Q VLAN


VLAN ID 1: port 1, 5 and 8 untag egress member

VLAN ID X: port 1 and 5 Tag Egress Member

VLAN ID Y: port 1 and 5 Tag Egress Member

VLAN ID Z: port 1 and 5 Tag Egress Member


My problems are the following ones:

- When I connect my wireless devices to the SSID 1, I got the appropriate IP on the sub-net 192.168.1.0 sub-net and I’m able to reach the internet.

- When I connect a wireless device on the SSID 2 (VLAN Y), I got an IP address on this VLAN (192.168.Y.) but I’ve also a log trace in the USG which tel me that I got an IP on the 192.168.1 sub-net. I cannot reach the internet.


I have many errors in my USG log files which looks like;

- IP Mac binding: DROP packet vlanY/Z-0.0.0.0:mac_address_of_the_wireless_AP

- IP Mac binding: DROP packet ge3-0.0.0.0:mac_address_of_the_wireless_AP


Wireless access point and GS1200-8HP got an IP with in subnet 192.168.1

I’m brand new in VLAN, just wants to understand what I’m doing wrong. Would you mind help me?


Regards



All Replies

  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited July 2018

    Hi @mat32

    In the normally if AP is managed(local bridge) by USG, the mac address will be mobile device itself but not AP's mac address.

    Does the AP is managed by USG? or in standalone mode?

  • mat17
    mat17 Posts: 45  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    Hi @CHS

    Thanks for your reply.

    I've tried to managed the AP from the USG but it seems doing nothing: from the USG,  override configuration, update mac address list, etc: nothing happen.

    Additionally, I have many capwap alerts like this one in my USG Log files "AP Disconnect: MAC MAC_address_of_the_AP: Reason: Idle in disc state"
    I'm not sure If my AP is going well...

    So for now, the AP is managed in a stand alone mode.

    I've found this tutorial https://businessforum.zyxel.com/discussion/1221/vlan-end-to-end-walk-through which is exactly what I was looking for.
    My configuration was the same except that I defined a list of MAC addresses in the MAC Layer 2 Isolation profile for the SSID where I was not able to access to the internet.
    Remove this layer 2 isolation profile let me access to the internet now.

    I was expecting being able to isolate all these wireless clients on this SSID except those one defined in this list.

    Finger crossed that my AP doesn't need to be change: I just bought it.

    Regards


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Welcome to Zyxel community. :)

    The configuration of the switch should be correct, your USG should be able to manage the AP without problem.
    You can follow these steps to see if the AP can be managed by the USG.
    1. Go to Monitor > Wireless > AP Information >  AP List. Click “Add to Mgnt AP list” button to add AP into trust AP.
    If AP is not exist in the list, you have to reset your AP.
     2. Go to Configuration > Wireless > AP Management > Mgnt. AP List. You will find the AP is listed in this table.

     3. Go to Configuration > Wireless > AP management > Firmware . Click “check” button first and then click “Apply”.
    It will download the latest AP firmware to USG.
    After these steps, USG will trying uploading AP firmware to AP. And AP will reboot few times.
    You can check AP status by: Monitor > Wireless > AP information > AP List.
    If upgrading AP firmware, the status will like this:
     
    If everything is done, the status will like this:

Security Highlight