Block admin access to AP on Guest WiFi

docoliver

Hi,

I have recently switched to Zyxel networking devices and are generally quite content with the function. However there is one configuration problem that bugs me.

My network is quite simple, 2 AP's powered by a POE switch and broadcasting a couple of different SSIDS that are separated by VLAN's that are being handled by my OPNSense firewall box with appropriate firewall rules.

My problem is the following:

My Guest WIFI is an Open Network with a captive portal provided by my OPNSense box and contained to VLAN 40. Appropriate firewall rules on the OPNSense box prohibit traffic between guest network and my other LANS. So far so good.

However when connected to my Guest WiFi (and on VLAN 40) I am still able to connect to the IP-address of the AP's on the VLAN 1 (thereby creating a security risk).

How do I prevent exposing the AP's GUI (or for that matter any port) to the Guests?

I would really appreciate your help :)

Jasper

Zyxel_Kay

Hi @docoliver

It looks like traffic from VLAN 40 is still being routed to other LAN subnets. To resolve this, you can add a policy rule on your OpnSense router to block VLAN 40 traffic from accessing other subnets.

Zyxel_Kay

Hi @docoliver

You can prevent guests from accessing your APs' web GUI from the guest WiFi by enabling the Guest Network feature in the SSID settings. To do this, go to Nebula CC > Site-wide > Configure > Access Point > SSID Settings and enable the Guest Network option.

For more detailed instructions on setting up the Guest SSID for your network, please refer to this article:

https://community.zyxel.com/en/discussion/13900/how-to-set-up-guest-access-to-the-network-on-nebula

Following the guidance in this article will help you isolate your guest network and enhance security.

docoliver

Hi @Zyxel_Kay,

Thank you very much for your answer. However the suggested solution doesn't solve my issue. The web GUI is still accessible from the guest WiFi. I have included a couple of screenshots.

My network topology is as follows.

==========================================================================

OpnSense box for firewall and routing (with appropriate VLAN tagging and trunking)

1x Zyxel XMG1915-10EP as a smart switch

2x Zyxel NWA130BE access point that broadcast different SSIDS with corresponding VLAN's

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

VLAN 1 management LAN

VLAN 10-VLAN 30 private networks

VLAN 40 GUEST LAN

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Problem:

I broadcast a Guest WiFi thats tagged with VLAN 40 (my Guest LAN), in Nebula the settings "Guest Network" and "Intra-BSS traffic blocking" is enabled (see screenshots).

However the web GUI is still accessible for clients connected to the AP's on the Guest SSID

(I have added my MAC of the gateway to the layer 2 isolation list)

I would like to have all access to management interfaces (such as the web Gui ) blocked to users of the Guest SSID

Can you help me with this?

Kind regards, Jasper

Zyxel_Kay

Hi @docoliver

It looks like traffic from VLAN 40 is still being routed to other LAN subnets. To resolve this, you can add a policy rule on your OpnSense router to block VLAN 40 traffic from accessing other subnets.

docoliver

Hi @Zyxel_Kay

There indeed seems to be an issue with my firewall rules. I haven't figured it out completely but have a working workaround. Thank you very much for your help so far.

doc