[NEBULA] Layer 2 isolation issue

ComputeInTheCloud
ComputeInTheCloud Posts: 19  Freshman Member
First Comment Friend Collector Nebula Gratitude First Anniversary
edited April 2021 in Nebula

When I enable layer 2 isolation on my guest SSID which is defined to be on a virtual interface (VLAN10) on the connected NSG50, the system tell us to enter the following: "Please enter at least the gateway MAC address to prevent Internet access restriction". When I enter the MAC address of the secuirty gateway, I get no Internet access. So it appears I am entering the wrong MAC address. Can someone define precisely what ZyXEL means in this context when it states: "Please enter at least the gateway MAC address to prevent Internet access restriction"


I am currently using a demo so that may affect the licensing and feature availability. I don't know if that is germane.

All Replies

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    25 Answers First Comment Friend Collector Third Anniversary

    Hi @ComputeInTheCloud,

    When you enable L2 isolation, the traffic from the station to other devices will be blocked unless the device is in the white list. So, to add the MAC of VLAN interface of GW to the white list is necessary for passing the traffic from the station connected on AP.

    If your DNS or DHCP server are in the Intranet, please also add them to the white list.

    Thanks.

  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    @ComputeInTheCloud You need to use the MAC address of the LAN interface, which it's not the same as the MAC address you use to register the NSG on Nebula. Use ARP command of a connected device, or even easier, just enable Guest network in the SSID overview page which automatically detects the gateway LAN MAC.

    "You will never walk along"
  • ComputeInTheCloud
    ComputeInTheCloud Posts: 19  Freshman Member
    First Comment Friend Collector Nebula Gratitude First Anniversary

    So you are actually contradicting yourself. When I engage the Guest setting on the interface, you are correct, it places the MAC address of the gateway in the layer 2 isolation section. Great. (Not the LAN Mac address). why in the name of hell doesn't ZyXEL display the MAC addresses of all the interfaces somewhere in the web interface? When I did this manually, using the same MAC address, it fails. There are just so many problems with the Nebula interface that is almost pointless to name them all. ZyXEL has A LOT of work left to do to make this a viable product.

  • ComputeInTheCloud
    ComputeInTheCloud Posts: 19  Freshman Member
    First Comment Friend Collector Nebula Gratitude First Anniversary
  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    25 Answers First Comment Friend Collector Third Anniversary
    edited February 2020

    Hello @ComputeInTheCloud,

    Thanks for your suggestion.

    When you enable Guest network, the GW MAC address on the AP management VLAN will be added to the L2 isolation white-list as default GW. The GW MAC address on AP management VLAN (NSG's LAN port MAC address) and the MAC address used to register the NSG on NCC will not be the same.

    However, as you mentioned, there's no information on NSG page to show all MAC addresses, so I add it to idea section as below link.

    https://businessforum.zyxel.com/discussion/3811/mac-address-information-on-nsg/p1?new=1

Nebula Tips & Tricks