How to direct packets with a specific VLAN ID to the WAN only


I have a WAP on which I have setup a Guest WiFi SSID. That SSID is assigned the VLAN ID of 20…so all traffic on that SSID is tagged with VLAN ID 20.

The WAP is connected directly to a managed switch which is properly setup to direct traffic, coming from the WAP tagged with VLAN ID 20, to the LAN1 port of the Zyxel VPN100.

What I can't figure out is how to setup the Zyxel VPN100 to only allow the VLAN tagged traffic to have access to the WAN port on the Zyxel VPN100 and no access back to the local network.

In short, I want to give network traffic tagged with VLAN ID 20 internet access only.

All Replies

  • PeterUK
    PeterUK Posts: 2,749  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 28

    So you have it tag all the way to the switch then untag it to LAN1 on VPN100?

    Zyxel have default rules that allow LAN1 to other LANs which you should check and change

    so if guest is on LAN1 do you have another subnet LAN2? For other traffic?

    It be best to make a VLAN on the VPN100 with VLAN20 on base port LAN1 then tag from the switch to VPN 100 you should make a new zone 1st like VLAN20_guest to set the zone for VLAN20 then you can make a routing rule if needed from VLAN20 to next hop WAN and a policy control rule VLAN20_guest to WAN

Security Highlight