[NEBULA] Possible to create guest WiFi with only internet access?
Hello.
For a customer i have setup a NSW100-28P (nebula) Switch and a NAP102 (nebula) accesspoint.
There is also a Fortinet firewall between Internett and the NSW.
Now i wonder can i create in Nebula Control Center a additional WiFi network for guest user that can ONLY access internett from this Wifi? I guess this has to be VLAN`s, but can i create that only for the switch and AP?
Port 1 on NSW is connected to Fortinet firewall, Port 2 on NSW is connected to AP, reminder port on NSW is connected to computers, printers and so.
\Snohetta
For a customer i have setup a NSW100-28P (nebula) Switch and a NAP102 (nebula) accesspoint.
There is also a Fortinet firewall between Internett and the NSW.
Now i wonder can i create in Nebula Control Center a additional WiFi network for guest user that can ONLY access internett from this Wifi? I guess this has to be VLAN`s, but can i create that only for the switch and AP?
Port 1 on NSW is connected to Fortinet firewall, Port 2 on NSW is connected to AP, reminder port on NSW is connected to computers, printers and so.
\Snohetta
1
Comments
-
Hello Snohetta,
Welcome to the Nebula Forum!
There are quite a lot of ways we can implement a Guest network.
Here are two guides that are currently available:
For a more in-depth guide about guest networks using VLAN, click here.
For a simpler guide about guest networks using L2 Isolation, click here.
Both methods ensures that your wireless clients accessing your Guest SSID can only access the Internet.
If you have further questions or need assistance, feel free to let me know!
Regards,
Barney Gregorio
1 -
Thanks for that @Nebula_Barney !
I think using the L2 isolation is really useful and pretty easy to set up. It also solved my old needs for a built-in DHCP in the access point to separate the guest VLAN from my intranet.
The in-depth guide looks good, especially when wired guest VLAN is also need it. BTW, the IP filtering on the NSW can also do the job to prevent the communication across VLANs, right? I have used that instead and works quite well for me.
I also saw in another post something about Guest zone for LAN/VLAN and what I understood is that we won't need to set up firewall rules anymore to block the communication. Looking forward for that
0 -
Hi @Iwannaquitthegym
Glad you like the in-depth guide!
Using the NSW's IP Filtering feature instead of configuring the NSG's firewall policies is also a great solution. But this still relies on a VLAN-based solution as you need to classify guest subnet from your private subnet.
An additional advantage to using IP filtering on the NSW would be to cut overhead out of your firewall.
And just as you mentioned, there are plans to add a Guest network feature on the NSG. This allows you to easily create a network that has a pre-defined policy to only allow access to the Internet.
Regards,
Barney Gregorio
2 -
Right, the L2 isolation works pretty well for simple guest WiFi deployments without having VLAN segmentation.
Looking forward to the guest network on NSG.
0 -
is the L2 as secure as vlan isolation?0
-
You have to isolate your guests from your corporate network with VLAN's.
But did you also wondering how to isolate and secure your guests for eachother? Apart from the network layer (f.e. guest isolation options in the AP), you can also secure the wireless transport layer. This can be done with Radius or a Unique WPA-2 key per user on the same Ssid (Private Pre Shared Key or PPSK).
The only thing you need to solve is the distibution of these Unique credentials per guest. Maybe we have to look for a PPSK Kiosk so guest can do self service.
0 -
in my opinion I think it should be almost same as safe, vlan is also a layer2 protocol and it too blocks traffic.
I'm using L2 isolate right now and don't feel any different from setting a vlan and rules in router.0 -
Hi @FrankIversen ,
It would be difficult to judge which solution would be more "secure". This is because the WLAN can already rely on SSID authentication as a preliminary security solution.
There is also a slight issue where L2 Isolation does not completely filter broadcast traffic from the private LAN and guest WiFi. But this should not have much impact in a small network deployment.
Another important factor to consider is that since the L2 Isolation method requires both SSID to use the same VLAN, it would be difficult (but not impossible) to apply different firewall policies between your private and guest clients.
@Basdg ,
I think you are referring to the NAP's Intra-BSS traffic blocking feature!
You can find this under AP > Configure > Authentication > <SSID name>.
Cheers,
Barney Gregorio
2
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight