Guest Wireless Issues with 500H - Layer 2 Isolation

DaviD42

Hi,

We created a guest WIFI Network using level 2 isolation, and attached it to a VLAN which worked fine. We later upgraded the firmware of all the switches and firewalls to the latest version due to other issues and the guest WIFI Stopped working.

The DNS is set to the 500H and we have added the MAC into the wireless Isolation whitelist. Devices can connect to the network and get an IP etc which works fine. However they don't get internet access. The WIFI logs show that devices are getting DNS timeouts. We then set the DNS to 1.1.1.1 and 8.8.8.8 to bypass the need for the MAC Whitelist, but it still doesn't work.

Does anyone have any ideas on what the issue could be?

All equipment is Zyxel Nebula kit, 1900 switches, 630s APs and a 500h Firewall.

Thanks in Advance

David

DaviD42

Hi,

Thanks for your response.

It was a MAC Whitelist Issue.

I had set a MAC but it was in fact the wrong one. Nebula displays the P1 WAN MAC. ARP on the machine i used brought up the wrong MAC for some reason. I had added both.

An easier way to obtain the MAC from a remote location is using the Local GUI.

Connect to the local GUI via Nebula: Devices > Firewall > Remote Configurator

From the Local GUI:

Under Config > Network > Interfaces > Edit the relevant VLAN\Interface.

The MAC is displayed in there.

Why this information isn't in Nebula or automatically added when you enable the guest is beyond me.

I hope this helps someone else.

David

Zyxel_Barry

Hi @DaviD42,

I understand you're experiencing guest Wi-Fi issues with your Nebula setup after a firmware upgrade, specifically with DNS timeouts and no internet access, despite devices obtaining IP addresses and adding the MAC to the wireless isolation whitelist.

Here are some steps to troubleshoot the issue:

• Verify Layer 2 Isolation Whitelist for correct ＭAC address of the firewall port: When Layer 2 isolation is enabled, only traffic to whitelisted destination MAC addresses is allowed. Even if you've added the 500H's MAC address to the whitelist, if it is not the correct port MAC of the connecting port, the traffic is still blocked by the AP. Please ensure you configure the correct MAC address. EX. Your firewall's MAC address is XX:94:FE ~ XX:95:09, and your switch is connecting to port 5 (MAC address is XX:95:02). The MAC address you need to set in Layer 2 Isolation Whitelist is XX:95:02.
• Check DNS Server Reachability: Even after setting public DNS servers (1.1.1.1 and 8.8.8.8), if the guest network cannot reach them due to firewall rules or routing issues on the 500H, DNS resolution will still fail. Confirm that the 500H firewall rules permit DNS traffic (UDP port 53) from the guest VLAN to the internet (for 1.1.1.1 and 8.8.8.8) or to the 500H itself if it's acting as the DNS server.
• Review Firewall Rules on 500H: Firmware upgrades can sometimes alter or reset firewall configurations. Double-check the firewall rules on your 500H to ensure that traffic from the guest VLAN to the internet is allowed and not being inadvertently blocked. Also, confirm there are no rules blocking DNS queries specifically.
• Confirm Uplink Connectivity: Although the business SSID works, guest traffic may follow a different forwarding path. Perform ping tests from a guest client to confirm reachability to the AP and the upstream firewall.
• Test with Public DNS on Client: As a temporary diagnostic step, directly configure a guest client with public DNS servers like 8.8.8.8 and 8.8.4.4 to see if this bypasses any DNS resolution issues originating from your 500H or its configuration.

To further assist you, please provide the following information:

• Firmware Version: The exact firmware versions of your 500H firewall, 1900 series switches, and 630s APs.
• Network Topology Map: A simple diagram or description of how your devices are connected, including VLAN assignments.
• Screenshot of Nebula SSID Advanced Settings: A screenshot of your guest Wi-Fi's "SSID advanced settings" in Nebula, specifically the Layer 2 isolation section.
• Screenshot of 500H Firewall Rules: Screenshots of any relevant firewall rules on your 500H that apply to the guest VLAN.
• Enable Zyxel Support Access: Please enable Zyxel Support Access via Help > Support Request in your Nebula console. This allows our support team to directly view your cloud environment configuration, significantly shortening troubleshooting time.
• Organization and Site Name: Provide the name of your Nebula Organization and Site.

Zyxel_Melen

Hi @DaviD42

May I know if you set the correct port MAC address of your firewall in the whitelist? I replicate this issue with the correct port MAC address of my firewall in the whitelist, and my WiFi client can access to the Internet and DNS can be resolved.

DaviD42

Hi,

Thanks for your response.

It was a MAC Whitelist Issue.

I had set a MAC but it was in fact the wrong one. Nebula displays the P1 WAN MAC. ARP on the machine i used brought up the wrong MAC for some reason. I had added both.

An easier way to obtain the MAC from a remote location is using the Local GUI.

Connect to the local GUI via Nebula: Devices > Firewall > Remote Configurator

From the Local GUI:

Under Config > Network > Interfaces > Edit the relevant VLAN\Interface.

The MAC is displayed in there.

Why this information isn't in Nebula or automatically added when you enable the guest is beyond me.

I hope this helps someone else.

David