Nebula SSID Layer 2 isolation and network scanners
Hi.
I configure Nebula with one AP. The SSID has Layer 2 islolation enabled (with or without Guest Network enabled). Firewall MAC address is the only address added/allowed.
Traffic to internet is working fine. Traffic to other physical devices on the the same subnet is blocked/not working as expected (i.e https traffic)..
However, if I connect a wireless Android client to the SSID and scan the network using i.e the Android app "Net Analyzer" it finds all the devices connected to the switch(es) on the same subnet.
Can this be prevented?
Regards
Accepted Solution
-
Hi @HPITS ,
With the current mechanism of L2 isolation, it is to
- Allow multicast packets,
- Allow broadcast packets
- Allow packets from a configured Wi-Fi interface if the destination MAC is on the list (e.g., GW MAC)
- Drop other packets from the configured Wi-Fi interface.
Usually, scanner software will send an ARP request to ask all the IPs in a subnet and ARP request is broadcast. Though ARP reply is unicast, it will be allowed since its source interface is not the Wi-Fi's L2 isolation interface. Once the scanner receives an ARP reply, it knows the corresponding IP has a device.
Reversing rules 3 & 4 (only allowing packets from whitelisted MACs on the Wi-Fi output interface, others are dropped) can block the ARP reply part, but this software will still use UPnP or Bonjour (mDNS) to find services. They are of the allowed multicast type, so they can still be discovered.
In addition, if blocking broadcast/ multicast, there may cause abnormalities in some applications.
To sum up, in the network with wired clients, please refer to the port isolation feature to check whether achieve the requirement. For AP, since all Ethernet devices are on the uplink port side, it is not possible to achieve the same effect as port isolation.
Engage in the Community, become an MVP, and win exclusive prizes!
0
All Replies
-
Hi @HPITS,
May I know which AP you are using and the firmware version? Thank you beforehand.
0 -
Hi
WAC6103D-I FW version 6.28
0 -
Hi @HPITS ,
With the current mechanism of L2 isolation, it is to
- Allow multicast packets,
- Allow broadcast packets
- Allow packets from a configured Wi-Fi interface if the destination MAC is on the list (e.g., GW MAC)
- Drop other packets from the configured Wi-Fi interface.
Usually, scanner software will send an ARP request to ask all the IPs in a subnet and ARP request is broadcast. Though ARP reply is unicast, it will be allowed since its source interface is not the Wi-Fi's L2 isolation interface. Once the scanner receives an ARP reply, it knows the corresponding IP has a device.
Reversing rules 3 & 4 (only allowing packets from whitelisted MACs on the Wi-Fi output interface, others are dropped) can block the ARP reply part, but this software will still use UPnP or Bonjour (mDNS) to find services. They are of the allowed multicast type, so they can still be discovered.
In addition, if blocking broadcast/ multicast, there may cause abnormalities in some applications.
To sum up, in the network with wired clients, please refer to the port isolation feature to check whether achieve the requirement. For AP, since all Ethernet devices are on the uplink port side, it is not possible to achieve the same effect as port isolation.
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
Thank you for an informative answer. Have a nice day!
Regards
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight