Layer-2 isolation and subnet problem

Y_L
Y_L Posts: 2
First Comment
edited August 2022 in WirelessLAN

Hello,

I'm trying to setup a guest wifi with layer-2 isolation on a WAC6103D-I but i can't get it working properly.

I have added mac adresses of "VPN GW" and "Internet GW" in my Layer-2 Isolation profile but it still allows users to browse web servers on the main site and internet sites.

If i remove VPN GW from my list, i can't connect to anything.

I have successfully configured another AP with a guest wifi and Layer2-Isolation on my main site without trouble.

What can i do to really isolate users on my guest Wifi?

Thanks!?

All Replies

  • livealive
    livealive Posts: 23  Freshman Member
    First Anniversary Friend Collector First Answer First Comment

    Hi @Y_L

    What's your guest Wifi scenario? Do you mean you don't wanna the guest to access your main site or the guests cannot communicate with each other or else?

  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @Y_L

    Welcome to ZYXEL community.

    Layer-2-isolation is used to block same subnet client can’t communicate with each other. If a device’s MAC addresses is NOT listed in a layer-2 isolation profile, it is blocked from communicating with other devices in an SSID on which layer-2 isolation is enabled.


    Since you added the  mac addresses of "VPN GW" and "Internet GW" in Layer-2 Isolation profile, it means that these two devices are allowed to be accessed by other devices in the SSID to which the layer-2 isolation profile is applied. So, the Guest Wifi clients can access the internet and intranet.

    If you want to isolate Guest Wifi in the office, just create a Layer-2-isolation profile without any whitelists.

    Hope it helps.

    Joslyn.

  • Y_L
    Y_L Posts: 2
    First Comment

    I think that the answer is here: "same subnet".

    It's not my case, so in this configuration i can't use Layer-2 Isolation.

    The goal is to isolate my "guest wifi" users from everything. I just want them to access internet through the "Internet GW" located in my main site.

    I'll have a look to my firewall config.

    Thank your very much for your help! ?️

    Yann