[NEBULA] Layer 2 Isolation and firmware updates.

dom Posts: 3
edited April 2021 in Nebula

I have just bought an NWA1123-AC Pro which is working very well. Enjoying the cloud side (email notifications would be lovely on the free tier :-) )

Anyway I have a few concerns regarding the AP

If I enable layer 2 isolation a client can still scan and access the AP (SSH, HTTP(S) etc).. this activity does not seem to be logged in any way. The IP for the AP comes up on the Scan and a port scan on the AP gave me the ports to target.

There does not seem to be a way to prevent this access within the Zyxel settings. I compared this to the Unifi solution and the BT Whole Home wifi both of which gave true isolation ... Is there something I am doing wrong?

Also, I can see that I can set schedules for firmware updates but not a way to disable the rollout of a firmware altogether. Is this possible? 

I would much rather choose to deploy a firmware once I know the outcome. On the flip side, I could not see an easy way to roll back a firmware update.

These are the only two factors preventing me from buying more to do a full rollout.

Thank you for any help

All Replies

  • Winnie
    Winnie Posts: 26  Freshman Member
    Hello @Nebula_CSO
    Could you help @dom check the layer 2 isolation function in Nebula?
  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    Hi @dom,
    For the L2 isolation issue, because some specific feature, like captive portal, needs to communicate with the AP, we didn't blocked the traffic from clients to APs. However, we understood your concern and would transfer your suggestion to idea in below path.
    For the firmware upgrade issue, we encourage the user to always enjoy the latest firmware available and in case of any critical issue that we always release a firmware patch ASAP. Here's a previous related issue for your reference.
    Moreover, the users can set recurrent schedule at the time they preferred even if the firmware is not available.  
  • dom
    dom Posts: 3
    edited April 2019
    Thank you very much for your response.

    I understand the route you have taken with regards to the Layer 2 but I think a better approach would have been to block everything unless a captive portal was specified in which case there is a valid reason to turn on.

    I will follow up on the forward link. I suspect I will have to VLAN the AP and traffic from the switch.

    I have gone ahead and purchased a few more NWA1123-AC Pro as part of the testing.

    The only part I would urge the Nebula side, is email notifications from the free tier. Especially if an AP is down.
  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    edited April 2019
    Hi @dom,
    The functions you mentioned can be disabled via commands and please let me know if you need to use it urgently.
    For the mail alert, because many customers apply the same request, we are considering to make device down push notifications in APP available for Nebula free tier.  :)

Nebula Tips & Tricks