"Easy mode" "Guest Wi-Fi" cannot adjust VLANs for guest Isolation

2

All Replies

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Make a new zone “VLAN100” name in object > zone then on the VLAN 100 interface set zone to “VLAN100”.

    Make a routeing rule with the following:

    incoming = Interface

    member = “VLAN100”

    next-hop

    type = Interface

    interface= WAN1


    Then firewall

    from= “VLAN100”

    to=WAN

    You should be able to ping 8.8.8.8


  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @ppandmary

    1. Please change the VLAN interface type to internal. So USG will add a routing for the interface automatically.
    2. May I know why you enable ARP proxy? By default, it is disabled.
    3. Please add a DNS server for the VLAN interfaces. Otherwise, all station cannot resolve the URL. Only can ping to internet.
    4. If you need these WiFi stations only can access the internet, no internal server.
        a. Remove the VLAN100 and VLAN200 from the LAN1 zone, and add the VLAN interface into a new zone.

        b. create firewall rules to let the stations only can access the internet, but not internal servers.

        c. Enable the L2 isolation. The stations cannot communicate with each other.


    Joslyn
  • ppandmary
    ppandmary Posts: 15
    First Anniversary
    ARP my mistake. Added 3 policy rules, corrected DNS, Added 2 zones and eliminated Lan1/v200 via policy.
    L2 iso is not for vLan100 (corporate network); printers, etc. vLan200 L2 iso would be good but member option is not available.

    3 pictures; Zones, L2 iso, fw policy.

    I also dropped thresholds on the AP Profiles for both radios from 82/88 to -62/-68 

    Need L2 iso fixed on vLan200.

    Next step is to add switches and multiple APs.
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @ppandmary

    May I know if the current configuration can match to your requirement?

    Joslyn
  • ppandmary
    ppandmary Posts: 15
    First Anniversary
    I also added routing IAW PeterUK mentioned. See picture. Now that internet is working looking at speedtest.net. 400M on wired, 80meg wireless.
  • ppandmary
    ppandmary Posts: 15
    First Anniversary
    Can I download a config for you?
  • ppandmary
    ppandmary Posts: 15
    First Anniversary
    Here are the config files
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @ppandmary

    We only can provide the suggestions once you have any question about our devices.
    Please let me know if you have any further questions.

    Joslyn
  • ppandmary
    ppandmary Posts: 15
    First Anniversary
    Here are the 2 questions as mentioned above:
    1) Why cant the L2 is option be implemented on the guest network? 
    2) Why is the wifi speedtest.net 5-10X slower than wired?

  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @ppandmary

    1. Guest Network on USG is a port role. Just like LAN1, LAN, and DMZ. We used the name to seperate the subnet. This naming design does not contain L2 isolation.
    2. We suggest to use iPerf to do the performance test because we did not know what the calculate method of each testing website. Attach the SOP here. iPerf can eliminate outside affects and get the internal pure test result. The performance might be half of the link rate because the airtime is shared. We have Tx and Rx packet in the air. When you are testing, please ensure there is only one station connect to 5G.

    Joslyn