Enhancements to Initial SSID in Zyxel Access Points (APs)
Zyxel Employee
With the firmware 7.10 update, Zyxel has introduced major improvements to the initial SSID setup process for its access points (APs). These enhancements focus on improving security, usability, and network isolation to provide a better initial configuration experience.
The three key improvements are:
- New NAT Mode for Initial SSID
- Enhanced Open Security Implementation
- Default Internet Access Block for Initial SSID
1. NAT Mode for Initial SSID: Easier AP Setup
Previously, the initial SSID operated in bridge mode with open security. In firmware 7.10, Zyxel APs now use NAT mode by default, making setup more independent and flexible.
Key Changes in NAT Mode
- The initial SSID (e.g., "Zyxel_XXXX") now operates under the 10.0.0.0/8 subnet instead of relying on a router for IP assignment.
- The AP acts as a DHCP server, allowing devices to connect without requiring an external router.
NAT mode applies only to the initial SSID (Wi-Fi). If accessing the AP via Ethernet (LAN), the default management IP remains 192.168.1.2.
Handling Potential IP Conflicts
If an NCC Proxy Server or Wireless Controller happens to be in the 10.0.0.0/8 subnet, this could create routing conflicts.Solution: Zyxel APs now include a default policy route to ensure traffic destined for controllers or proxy servers is correctly routed to the uplink network instead of being mistakenly handled as local traffic.
2. Enhanced Open Security for Initial SSID
Previously, the initial SSID used open security (no encryption), making it vulnerable to eavesdropping. With firmware 7.10, it now supports Enhanced Open, a security feature from WiFi 6(WPA3-OWE).
What’s new behavior?
- The initial SSID will now use Enhanced Open, a more secure WiFi standard.
- Enhanced Open provides encryption for unauthenticated connections, making it safer than Open security.
What if my device doesn’t support WPA3?
- WiFi 5 or older devices CANNOT connect to the initial SSID.
- Solution: Use an Ethernet cable to connect to the AP via 192.168.1.2 for initial setup.
Note that this change only affects the system default; the startup configuration remains unaffected.
3. Internet Access Blocked by Default
To prevent potential attacks, firmware 7.10 now blocks internet access on the initial SSID by default.
What does this ?
- Wireless clients cannot communicate with each other, preventing unauthorized snooping or attacks.
- Only direct communication with the AP is allowed, ensuring secure setup.
When Does Blocking Stop?
The AP will automatically stop blocking client-to-client communication when:
- WiFi settings are modified – Any change to WiFi settings (e.g., SSID, security) signals that the administrator is actively configuring the AP.
- The AP joins an AP Group – If the AP is grouped with others, it assumes a deployed network setup.
- A Nebula Site Configuration is Applied – Once Nebula applies a site-wide configuration.
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 102 Nebula Status and Incidents
- 5.8K Security
- 305 USG FLEX H Series
- 283 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 255 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.7K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 77 Security Highlight