Nebula SSID Layer 2 isolation and network scanners
Hi.
I configure Nebula with one AP. The SSID has Layer 2 islolation enabled (with or without Guest Network enabled). Firewall MAC address is the only address added/allowed.
Traffic to internet is working fine. Traffic to other physical devices on the the same subnet is blocked/not working as expected (i.e https traffic)..
However, if I connect a wireless Android client to the SSID and scan the network using i.e the Android app "Net Analyzer" it finds all the devices connected to the switch(es) on the same subnet.
Can this be prevented?
Regards
Accepted Solution
-
Hi @HPITS ,
With the current mechanism of L2 isolation, it is to
- Allow multicast packets,
- Allow broadcast packets
- Allow packets from a configured Wi-Fi interface if the destination MAC is on the list (e.g., GW MAC)
- Drop other packets from the configured Wi-Fi interface.
Usually, scanner software will send an ARP request to ask all the IPs in a subnet and ARP request is broadcast. Though ARP reply is unicast, it will be allowed since its source interface is not the Wi-Fi's L2 isolation interface. Once the scanner receives an ARP reply, it knows the corresponding IP has a device.
Reversing rules 3 & 4 (only allowing packets from whitelisted MACs on the Wi-Fi output interface, others are dropped) can block the ARP reply part, but this software will still use UPnP or Bonjour (mDNS) to find services. They are of the allowed multicast type, so they can still be discovered.
In addition, if blocking broadcast/ multicast, there may cause abnormalities in some applications.
To sum up, in the network with wired clients, please refer to the port isolation feature to check whether achieve the requirement. For AP, since all Ethernet devices are on the uplink port side, it is not possible to achieve the same effect as port isolation.
Be a Community MVP: Win a VIP Deal Dash on Your Next Zyxel Purchase!
0
Zyxel Employee
All Replies
-
Hi @HPITS,
May I know which AP you are using and the firmware version? Thank you beforehand.
Zyxel Melen
0 -
Hi
WAC6103D-I FW version 6.28
0 -
Hi @HPITS ,
With the current mechanism of L2 isolation, it is to
- Allow multicast packets,
- Allow broadcast packets
- Allow packets from a configured Wi-Fi interface if the destination MAC is on the list (e.g., GW MAC)
- Drop other packets from the configured Wi-Fi interface.
Usually, scanner software will send an ARP request to ask all the IPs in a subnet and ARP request is broadcast. Though ARP reply is unicast, it will be allowed since its source interface is not the Wi-Fi's L2 isolation interface. Once the scanner receives an ARP reply, it knows the corresponding IP has a device.
Reversing rules 3 & 4 (only allowing packets from whitelisted MACs on the Wi-Fi output interface, others are dropped) can block the ARP reply part, but this software will still use UPnP or Bonjour (mDNS) to find services. They are of the allowed multicast type, so they can still be discovered.
In addition, if blocking broadcast/ multicast, there may cause abnormalities in some applications.
To sum up, in the network with wired clients, please refer to the port isolation feature to check whether achieve the requirement. For AP, since all Ethernet devices are on the uplink port side, it is not possible to achieve the same effect as port isolation.
Be a Community MVP: Win a VIP Deal Dash on Your Next Zyxel Purchase!
0 -
Thank you for an informative answer. Have a nice day!
Regards
0
Categories
- All Categories
- 396 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 84 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 915 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 912 Nebula FAQ
- 419 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
