VLANs, USG, and NWA5123-AC-HD
Freshman Member
Hi there,
I hope you can help me: I encounter many issues in the configuration I want to set.
I have:
- an USG310
- a Wifi NWA5123-AC-HD controller
I also have switch GS1200-8P which I don’t use it for now.
I want to define 3 wifi SSID:
- 1 which can access to both internet and local shares
- 1 which can access internet only- 1 which can only access local network
So I’ve defined on the USG 3 vlans (id 100, 200, 300), as internal, with a DHCP server which define the appropriate IP address plan, mac binding rules on these VLANs, IP address defined, with no getaway defined, zone lan1, enable IGMP support downstream, base port is the physical port on the USG where is plugged the network cable to the NWA5123-AC-HD.
This port have also a DHCP server defined in network > interfaces > Ethernet.
The NWA5123-AC-HD is powered through POE with a POE injector between the USG and NWA5123-AC-HD.
On the NWA5123-AC-HD,
- for testing purposes, only the two last SSID have the expected VLAN defined (200,300, in Configuration > Objects > AP profiles). The first SSID still have the VLAN id 1.
- the network > VLAN tab has not been updated
When I connect through the first one SSID (those one which still have the VLAN id 1) I’m able to reach internet. If I connect to a SSID which have a VLAN ID 200 or 300, I’m not able to reach internet.
A security rules has been placed temporary to allow everything from the LAN1.
The thing I can view in the USG log files:
- When I’m connecting to a SSID with a VLAN id 200 or 300, I got the expected IP address, but I also got an IP address from the DHCP server on the Ethernet port.
- I have many IP-mac-binding DROP packet vlan200-0.0.0.0:mac_address_of_the_NWA5123-AC-HD.
My understanding:
- I should not have both a DHCP server on the Ethernet interface where is plugged the NWA5123-AC-HD and the VLAN.
But In this case, setting a fixed IP address is mandatory for the NWA5123-AC-HD? Or are there some ways to manage all the IP addresses plan in the USG?
- When connecting to the SSID where there is still the VLAN id 1, he cannot find a relevant DHCP server for this VLAN and so ask to the Ethernet interface. I got an IP address from the Ethernet interface instead, and this is why I’m able from this SSID to access to internet.
Am I right?
Did I miss an important step in my configuration?
Additionally, which is the more secure way to manage all these VLANs? I mean, I could tell the VLAN which is able to access to all resources to access also to USG and NWA5123-AC-HD but there is probably a better approach?
thanks in advance for your help.
Mat
Categories
- All Categories
- 385 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 75 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 908 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 886 Nebula FAQ
- 415 Security FAQ
- 228 Switch FAQ
- 200 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight
