[2025 September Tips & Tricks] Revamped Captive Portal for USG FLEX H: Better Security, Less Risk
Freshman Member
📌 Overview
With the release of our next-generation firewall series, Zyxel introduces a key security-driven change in the behavior of the captive portal (web authentication) feature. This update reflects modern security best practices and is designed to reduce potential attack surfaces in your network infrastructure.
🛡️ Background: Legacy Behavior
In ZLD-based (legacy) firewall models, the captive portal was designed to support traffic originating from both:
- LAN (Local Area Network) – typical internal user authentication
- WAN (Wide Area Network) – in some cases, used for remote user authentication
Some customers took advantage of this flexibility and combined captive portal with NAT port forwarding. This allowed users outside the local network (on the internet) to access internal resources via a public IP, with the captive portal acting as a safeguard.
🚨 Security Concern: Increased Attack Surface
While this configuration may seem secure due to the presence of web authentication, it actually poses significant security risks:
- Bypassing Zero Trust principles by exposing internal services to unauthenticated WAN users
- Captive portal is not an encryption-based method—leaving data potentially exposed
- Expands attack surface, making internal resources discoverable from the internet
Such behavior violates industry-standard security best practices and leaves local network environments more vulnerable to exploitation.
⚙️ What’s Changed in the New USG FLEX H Series Firewall
To align with cybersecurity best practices, Zyxel's new-generation firewall products restrict captive portal functionality to LAN-only traffic. In other words:
Captive portal now works only for traffic originating from LAN interfaces. Traffic coming from the WAN is no longer processed by the captive portal.
This change may be inconsistent with the legacy ZLD-based product behavior, but it represents a significant security enhancement aimed at helping our customers build more resilient networks.
👉 Recommended Alternatives: Secure Remote Access
For customers who require access to internal network resources from outside (e.g., remote employees or mobile users), Zyxel strongly recommends using one of the following secure VPN protocols:
- IKEv2 VPN – Ideal for mobile clients and site-to-site tunnels
- SSL VPN – User-friendly and encrypted access through browser or client
These protocols offer end-to-end encryption, strong authentication, and are designed for secure remote access, without exposing internal IPs or services to the public internet.
🔦 What If I Still Need WAN-Based Captive Portal?
If your deployment still relies on WAN-originated traffic being handled by the captive portal (e.g., for public hotspots or legacy integration scenarios), please note:
- This is no longer natively supported in the H series firewall design
- Customers are advised to avoid this approach to maintain security compliance
- If such usage is critical, please contact your Zyxel support representative for further discussion.
💡 Summary
Topic | USGFLEX/ATP series behavior | USGFLEX H series behavior |
|---|---|---|
Captive Portal | LAN and WAN traffic supported | LAN traffic only |
WAN Access to Internal Resources | Possible with port forwarding + captive portal, or use VPN (IKEv2, SSL VPN) for secure access | Use VPN (IKEv2, SSL VPN) for secure access |
🚀 Need Help?
For migration guidance, remote VPN setup tutorials, refer to these Zyxel Community article👇
Categories
- All Categories
- 439 Beta Program
- 2.7K Nebula
- 191 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 469 USG FLEX H Series
- 308 Security Ideas
- 1.6K Switch
- 82 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 281 Service & License
- 441 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 93 Security Highlight