[NEBULA] Layer 2 isolation issue
Freshman Member
When I enable layer 2 isolation on my guest SSID which is defined to be on a virtual interface (VLAN10) on the connected NSG50, the system tell us to enter the following: "Please enter at least the gateway MAC address to prevent Internet access restriction". When I enter the MAC address of the secuirty gateway, I get no Internet access. So it appears I am entering the wrong MAC address. Can someone define precisely what ZyXEL means in this context when it states: "Please enter at least the gateway MAC address to prevent Internet access restriction"
I am currently using a demo so that may affect the licensing and feature availability. I don't know if that is germane.
All Replies
-
When you enable L2 isolation, the traffic from the station to other devices will be blocked unless the device is in the white list. So, to add the MAC of VLAN interface of GW to the white list is necessary for passing the traffic from the station connected on AP.
If your DNS or DHCP server are in the Intranet, please also add them to the white list.
Thanks.
0 -
@ComputeInTheCloud You need to use the MAC address of the LAN interface, which it's not the same as the MAC address you use to register the NSG on Nebula. Use ARP command of a connected device, or even easier, just enable Guest network in the SSID overview page which automatically detects the gateway LAN MAC.
"You will never walk along"1 -
So you are actually contradicting yourself. When I engage the Guest setting on the interface, you are correct, it places the MAC address of the gateway in the layer 2 isolation section. Great. (Not the LAN Mac address). why in the name of hell doesn't ZyXEL display the MAC addresses of all the interfaces somewhere in the web interface? When I did this manually, using the same MAC address, it fails. There are just so many problems with the Nebula interface that is almost pointless to name them all. ZyXEL has A LOT of work left to do to make this a viable product.
0 -
This is wrong, but thanks for the attempt.
0 -
Hello @ComputeInTheCloud,
Thanks for your suggestion.
When you enable Guest network, the GW MAC address on the AP management VLAN will be added to the L2 isolation white-list as default GW. The GW MAC address on AP management VLAN (NSG's LAN port MAC address) and the MAC address used to register the NSG on NCC will not be the same.
However, as you mentioned, there's no information on NSG page to show all MAC addresses, so I add it to idea section as below link.
https://businessforum.zyxel.com/discussion/3811/mac-address-information-on-nsg/p1?new=1
0
Zyxel Employee
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
