Nebula SSID Layer 2 isolation and network scanners

Options

Hi.

I configure Nebula with one AP. The SSID has Layer 2 islolation enabled (with or without Guest Network enabled). Firewall MAC address is the only address added/allowed.

Traffic to internet is working fine. Traffic to other physical devices on the the same subnet is blocked/not working as expected (i.e https traffic)..

However, if I connect a wireless Android client to the SSID and scan the network using i.e the Android app "Net Analyzer" it finds all the devices connected to the switch(es) on the same subnet.

Can this be prevented?

Regards

Accepted Solution

  • Zyxel_Judy
    Zyxel_Judy Posts: 917  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @HPITS ,

    With the current mechanism of L2 isolation, it is to

    • Allow multicast packets,
    • Allow broadcast packets
    • Allow packets from a configured Wi-Fi interface if the destination MAC is on the list (e.g., GW MAC)
    • Drop other packets from the configured Wi-Fi interface.

    Usually, scanner software will send an ARP request to ask all the IPs in a subnet and ARP request is broadcast. Though ARP reply is unicast, it will be allowed since its source interface is not the Wi-Fi's L2 isolation interface. Once the scanner receives an ARP reply, it knows the corresponding IP has a device.

    Reversing rules 3 & 4 (only allowing packets from whitelisted MACs on the Wi-Fi output interface, others are dropped) can block the ARP reply part, but this software will still use UPnP or Bonjour (mDNS) to find services. They are of the allowed multicast type, so they can still be discovered.

    In addition, if blocking broadcast/ multicast, there may cause abnormalities in some applications.

    To sum up, in the network with wired clients, please refer to the port isolation feature to check whether achieve the requirement. For AP, since all Ethernet devices are on the uplink port side, it is not possible to achieve the same effect as port isolation.

    Be a Community MVP: Win a VIP Deal Dash on Your Next Zyxel Purchase!

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,629  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @HPITS,

    May I know which AP you are using and the firmware version? Thank you beforehand.

    Zyxel Melen

  • HPITS
    HPITS Posts: 7
    First Anniversary First Comment
    Options

    Hi

    WAC6103D-I FW version 6.28

  • Zyxel_Judy
    Zyxel_Judy Posts: 917  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @HPITS ,

    With the current mechanism of L2 isolation, it is to

    • Allow multicast packets,
    • Allow broadcast packets
    • Allow packets from a configured Wi-Fi interface if the destination MAC is on the list (e.g., GW MAC)
    • Drop other packets from the configured Wi-Fi interface.

    Usually, scanner software will send an ARP request to ask all the IPs in a subnet and ARP request is broadcast. Though ARP reply is unicast, it will be allowed since its source interface is not the Wi-Fi's L2 isolation interface. Once the scanner receives an ARP reply, it knows the corresponding IP has a device.

    Reversing rules 3 & 4 (only allowing packets from whitelisted MACs on the Wi-Fi output interface, others are dropped) can block the ARP reply part, but this software will still use UPnP or Bonjour (mDNS) to find services. They are of the allowed multicast type, so they can still be discovered.

    In addition, if blocking broadcast/ multicast, there may cause abnormalities in some applications.

    To sum up, in the network with wired clients, please refer to the port isolation feature to check whether achieve the requirement. For AP, since all Ethernet devices are on the uplink port side, it is not possible to achieve the same effect as port isolation.

    Be a Community MVP: Win a VIP Deal Dash on Your Next Zyxel Purchase!

  • HPITS
    HPITS Posts: 7
    First Anniversary First Comment
    Options

    Thank you for an informative answer. Have a nice day!

    Regards