good practice for setting up a wifi AP to access LAN ressource

Options
Asgatlat
Asgatlat Posts: 128 image  Ally Member
First Comment Friend Collector Eighth Anniversary
edited January 20 in Wireless

hi

in office, we only use wired LAN

we have Wifi AP only for guests and employee's personnal devices. thi Wifi is on a specific ISP modem and no link with office's lan

i want to add a wifi AP for coworker when they are many in meeting room, because add a switch on the meeting desk is messy and laptop has no rj45 connection

what is the best pratice for ? create a specific SSID with only mac filtering (so the SSID is set top open ?)

i really don't know what is the best for…

Accepted Solution

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,532 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @Asgatlat

    Please reference the items that Barry mentioned.

    Key point:

    1. The SSID need to assign a VLAN ID.
    2. This SSID need to enable Layer 2 Isolation & Intra-BSS Traffic Blocking.
    3. Firewall need set security policy to block this VLAN access other interface/LAN/VLAN/Subnet.
    Zyxel Melen


All Replies

  • Zyxel_Barry
    Zyxel_Barry Posts: 120 image  Zyxel Community Virtual Assistant
    5 Answers First Comment Friend Collector
    edited January 21

    Hi @Asgatlat,

    To address your requirement for providing Wi-Fi access to coworkers in a meeting room for their laptops to access LAN resources, while maintaining security, here's a recommended approach:

    Initial Solution

    The best practice involves creating a dedicated SSID for your coworkers and implementing robust security measures beyond just MAC filtering, as MAC addresses can be spoofed. Integrating VLANs with your SSID will provide better network segregation.

    1. Create a Dedicated SSID:
      • Set up a new SSID specifically for "Coworker Meeting Room" or similar.
    2. Implement Strong Security:
      • WPA3-Personal or WPA2/WPA3-Mixed Mode: For robust security, use WPA3-Personal. If you have older devices that may not support WPA3, use WPA2/WPA3-Mixed mode. Avoid "Open" SSIDs, as they offer no encryption.
      • (Optional) MAC-based Authentication (Whitelist): While not foolproof on its own, MAC-based authentication can add an additional layer of control. Configure a whitelist of MAC addresses for the devices your coworkers will use. This ensures only "known" devices can connect to this specific SSID.
        • In Zyxel Nebula, you can often find this under MAC-based Authentication or Client Policy (MAC filter) features.
        • For Zyxel firewalls with an AP Controller, you can use local MAC authentication.
      • VLAN Segregation: This is crucial for isolating traffic.
        • Assign this new SSID to a specific VLAN that is separate from your main corporate LAN.
        • Configure your firewall or router to control access between this VLAN and your corporate LAN, allowing only necessary traffic (e.g., access to specific internal resources like printers or shared drives).
        • This prevents unauthorized access to sensitive LAN resources from the Wi-Fi network.
      • Enable Layer 2 Isolation & Intra-BSS Traffic Blocking: This feature prevents connected wireless clients on the same SSID from communicating directly with each other, enhancing security.
    3. Firewall Rules:
      • On your firewall, create rules that specifically allow the necessary traffic from the coworker Wi-Fi VLAN to the specific LAN resources they need. Explicitly deny all other traffic from the Wi-Fi VLAN to the corporate LAN.

    Information Collection Guide

    To provide more tailored advice, please provide the following information:

    • Zyxel Access Point Model(s): (e.g., NWA1123-ACv2, WAX610D, etc.)
    • Firmware Version of the AP(s):
    • Management Platform: Are your APs managed by Zyxel Nebula Cloud, a Zyxel Security Gateway (e.g., USG FLEX), or standalone?
    • Network Topology (Diagram or Description): How is the new AP intended to connect to your existing network infrastructure?
    • Specific LAN Resources: What exact LAN resources (e.g., file servers, internal websites, specific applications) do your coworkers need to access from this Wi-Fi?
    • Nebula Specific Information (if applicable):
      • Please enable Zyxel Support Access via Help > Support Request in your Nebula console. This allows our support team to view your cloud environment directly.
      • Provide your Organization Name and Site Name.

    This AI response aims to provide initial troubleshooting steps and identify information needed for further diagnosis. Feel free to share additional details based on the suggestions above — this will help community members offer more targeted assistance.
    If you have feedback or idea about this AI assistant, share them in Community Feedback.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,532 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @Asgatlat

    Please reference the items that Barry mentioned.

    Key point:

    1. The SSID need to assign a VLAN ID.
    2. This SSID need to enable Layer 2 Isolation & Intra-BSS Traffic Blocking.
    3. Firewall need set security policy to block this VLAN access other interface/LAN/VLAN/Subnet.
    Zyxel Melen


Categories

Wireless Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)