Block admin access to AP on Guest WiFi

docoliver Posts: 2
First Comment
edited June 11 in Nebula


I have recently switched to Zyxel networking devices and are generally quite content with the function. However there is one configuration problem that bugs me.

My network is quite simple, 2 AP's powered by a POE switch and broadcasting a couple of different SSIDS that are separated by VLAN's that are being handled by my OPNSense firewall box with appropriate firewall rules.

My problem is the following:

My Guest WIFI is an Open Network with a captive portal provided by my OPNSense box and contained to VLAN 40. Appropriate firewall rules on the OPNSense box prohibit traffic between guest network and my other LANS. So far so good.

However when connected to my Guest WiFi (and on VLAN 40) I am still able to connect to the IP-address of the AP's on the VLAN 1 (thereby creating a security risk).

How do I prevent exposing the AP's GUI (or for that matter any port) to the Guests?

I would really appreciate your help :)


All Replies

  • Zyxel_Kay
    Zyxel_Kay Posts: 637  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @docoliver

    You can prevent guests from accessing your APs' web GUI from the guest WiFi by enabling the Guest Network feature in the SSID settings. To do this, go to Nebula CC > Site-wide > Configure > Access Point > SSID Settings and enable the Guest Network option.

    For more detailed instructions on setting up the Guest SSID for your network, please refer to this article:

    Following the guidance in this article will help you isolate your guest network and enhance security.

    Share yours now!


  • docoliver
    docoliver Posts: 2
    First Comment
    edited June 14

    Hi @Zyxel_Kay,

    Thank you very much for your answer. However the suggested solution doesn't solve my issue. The web GUI is still accessible from the guest WiFi. I have included a couple of screenshots.

    My network topology is as follows.


    OpnSense box for firewall and routing (with appropriate VLAN tagging and trunking)

    1x Zyxel XMG1915-10EP as a smart switch

    2x Zyxel NWA130BE access point that broadcast different SSIDS with corresponding VLAN's


    VLAN 1 management LAN

    VLAN 10-VLAN 30 private networks




    I broadcast a Guest WiFi thats tagged with VLAN 40 (my Guest LAN), in Nebula the settings "Guest Network" and "Intra-BSS traffic blocking" is enabled (see screenshots).

    However the web GUI is still accessible for clients connected to the AP's on the Guest SSID

    (I have added my MAC of the gateway to the layer 2 isolation list)

    I would like to have all access to management interfaces (such as the web Gui ) blocked to users of the Guest SSID

    Can you help me with this?

    Kind regards, Jasper

Nebula Tips & Tricks