Secure port on my zyxel switch that is connected to an outdoor WIFI access point

PersonX
PersonX Posts: 8
First Comment Friend Collector Second Anniversary
edited August 2022 in Switch
I want to install an outdoor WIFI access point.
I want to configure my Zyxel managed switch (GS1900-24E) so that only this access point can use that cable. I want to prevent someone from disconnecting the cable from the WIFI access point and plugging it into their cable.
I rad the explanation provided here. From what I understand I can specify that this port can only be used with the MAC address of the WIFI access point. However if I do this, the smartphones and laptops connected to the wifi network broadcast by the access point don't work.
So I decided to add the MAC addresses of the laptops and smartphones so that they can connect to this port. However then they don't work on my other WIFI access points anymore. I have the impression that they become only allowed on the port for which I added the MAC address... Obviously I want my devices to continue working on all access points, not only the outdoor one.
So my question is: how can I accomplish what I want?
Many thanks for your advice

All Replies

  • TomorrowOcean
    TomorrowOcean Posts: 59  Ally Member
    First Answer First Comment Friend Collector Seventh Anniversary
    Does your AP support NAT?
    Maybe using NAT mode on your AP, then you will see only one IP/MAC(AP's IP and MAC) from all your wireless clients.
    Therefore, you may limit one MAC address with port security on Switch. 
  • PersonX
    PersonX Posts: 8
    First Comment Friend Collector Second Anniversary
    Thanks a lot for your suggestion @TomorrowOcean.
    I am using Ubiquiti Unifi access points. It seems like these do not have NAT (I read this is something that's usually set-up on the router, not the access point).
    Thanks anyhow for the idea.
  • imaohw
    imaohw Posts: 124  Ally Member
    First Comment First Answer Friend Collector Sixth Anniversary
    edited March 2021
    I also use Unifi access points with Zyxel switches and a Zyxel router/firewall.

    The best way I have found to address this concern is by using VLans and firewall rules to limit access in case someone does disconnect an AP and plug something else into the cable.  Below I list some of the other steps you can take.  But, ultimately it is nearly impossible to protect an outside cable from a determined hacker.

    Here is what I did to “protect”  outside cables from being unplugged from an access point and being plugged into another device:

    • I set the PVID of the port on the switch to be in a separate AP Management VLan. The AP gets an IP address in the AP management VLan.
    • In Unifi each of the SSIDs are associated with a VLan other than the AP Management VLan. Devices connecting to the wireless network get an IP address in the VLan associated with the SSID the device connected to.
    • I have firewall rules that prevent or allow inter VLan routing as needed. Devices in the AP Mangement VLan cannot access any other network resources.
    • I use a IP/MAC binding table on the firewall/router/dhcp server for the AP Management VLan so that the DHCP server only assigns IPs to known MAC addresses. 
    • If someone manages to figure out the IP range for the AP Management VLan and assigns a static IP to a device which they plug in to the outside AP cable the firewall will block traffic because the MAC address and IP address pair would not be in the static binding table.
    • In addition, have alerts set up if any AP disconnects from the network.
    Unfortunately, all of the “protection” can be somewhat defeated if someone was to spoof their MAC address to be the MAC address of AP (which Ubiquiti puts on the label of the AP) before plugging their device into the outside cable. If this happens, network access would still be limited by firewall rules.

    I also use a Zyxel switch which supports MAC address learning limits on a per port / per VLan level.  But that is not available on a GS1900.
  • PersonX
    PersonX Posts: 8
    First Comment Friend Collector Second Anniversary
    That's a very comprehensive answer. Many thanks for that.
    My router is an router/modem combination provided by my ISP and it has no VLAN configuration options. Based on your explanations I understand that that this makes it impossible to secure my router this way.
    I'm thinking of a fairly simple alternative: feed the ethernet cable with a passive 24V POE injector. That will power my Unifi Access Point, but of someone puts it into their laptop, I believe it would fry their ethernet port.
  • TomorrowOcean
    TomorrowOcean Posts: 59  Ally Member
    First Answer First Comment Friend Collector Seventh Anniversary
    Hmm...I don't think the PoE injector will still deliver power when the connected device is not a PD, so the laptop should not be burned...😂