How to utilize AP Tunnel Mode to access Office network from home

Zyxel_Richard Posts: 218  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited July 2021 in Security


 This document is aiming at those home-workers and enterprise, providing the initial setting on Security Gateway (in the central office) and Access Points (in each home-worker’s house) to provide same working experience as in the office. No additional training, and least IT support needed.


Supported Security Gateway Models

  • USG110/210/310/1100/1900/2200
  • VPN50/100/300
  • ATP100/200/500/800 

Supported Access Point Models

  • 11ac: WAC6103D-I, WAC6500 series
  • 11ac wave2: NWA5123-AC HD, WAC6303D-S
  • 11ax: WAX510D, WAX650S 

Configuration on Access Point

1. Set Laptop with static IP “192.168.1.X” (except and the subnet mask “”

(Directory: Network Connections > Local Area Connection > Properties > IPv4 > Properties)

2. Connect Laptop to the Uplink port of Access Point

3. Type “” on the URL column of your browser.

(Click “Standalone Mode” if you see this page)

(Enter admin credentials at Login Page, by default the password is 1234)

(Click “Cancel” to skip the Wizard)

4. Assign Primary static AC IP to the Security Gateway’s WAN IP address
(Directory: Configuration > Network > AC Discovery > Manual)

(Check USG’s WAN IP address under Directory: 
 Configuration > Network > Interface > Ethernet > Configuration)

5. (Optional) If Security Gateway’s WAN port is using floating IPs, set the Primary static AC IP in FQDN format, and make sure the DDNS server can be reached.

6. Connect AP’s Uplink port to the home network which allows Internet access.

Configuration on Security Gateway

1. Setup two firewall rules on USG to allow CAPWAP connection (“GRE” & “CAPWAP-Control”)
(Directory: Configuration > Security Policy > Policy Control)

(Note: Set “ZyWALL” in column “To”, "WAN" in column"From")

2. (Optional) If Security Gateway’s WAN port is using floating IP, set the DDNS Server to ensure the FQDN can be resolved by remote Access Points.
(Directory: Configuration > Network > DDNS > Add)

3. Confirm AP’s registration on USG
(Directory: Monitor > Wireless > AP Information > AP List)
(Select AP and then click “Add to Mgnt” button)

4. Check if AP’s status turns into “online AP” or “Compatible AP”
(Directory: Monitor > Wireless > AP Information > AP List)

5. Set Tunnel Mode SSID with corresponding VLAN interface settings
(Note: It is suggested to set the same SSID name as in the office. If you are using Zyxel Security gateway managing access points, just change the forwarding mode to “Tunnel”)

(Note: Set Interface Type “Internal” to let Security Gateway establish routing rules automatically.)

What could go wrong?

1. Make sure the AP is in default configuration before initial setup, if not, reset the AP by pushing the reset button.

2. When connecting AP’s Uplink port to the other Ethernet port, make sure AP can get IP address and access the Internet. (Generally the connected network should include an ISP’s modem or other devices supporting “DHCP Server” function)

3. When setting firewall rules on Security Gateway, set “ZyWALL” in the “To” column; both rules for allowing “CAPWAP-DATA” and “CAPWAP-CONTROLL” services should be established

4. When using floating IP as Security Gateway’s WAN address, make sure the IP address is synchronized successfully on DDNS server to avoid establish fail due to IP change.


Security Highlight