GS1920-24HP: Segregate VLANs for Corporative or Guest access

SC_Ivy
SC_Ivy Posts: 12
Friend Collector
edited November 2023 in Nebula
Hello all.

In order the following scenario: 


I'm trying to configure a VLAN in GS1920-24HP Switch with a WAX510D Access Point. The AP is configured to have a couple of SSIDs: Corporative using VLAN10, and Guest using VLAN20. But when I connect to the wifi with SSID Guest no IP is get (nor internet connection). 

The VLAN20 has been configured as follows:

And the Switch port 22 (AP connected) configuration:

So, the SSIDs are set up as below:



Can anybody help me? Thanks very much in advance!

Best Answers

  • Zyxel_Jason
    Zyxel_Jason Posts: 394  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @SC_Ivy,

    Welcome to Zyxel community!

    Here are some check points for you:
    1. Please double check if VLAN 20 interface is in the same port group as VLAN 10 interface, which has the physical port connected to GS1920-24HP.

    2. Please check if the uplink port of GS1920-24HP is configure as Type = "Trunk" and Allow VLANs = "All" or "1, 10, 20".

    3. Since SSID name "Guest" is a little common, please make sure the Guest SSID you connect is on your WAX510D.
    You may check the BSSID (It should be the same as AP's MAC address) on your wireless client or change another name and connect again.

    If the problem persist after checking and you need further help, you may enable Zyxel Support at Help > Support request page, share your organization/site name, so we can access your site to check on Nebula CC.


    Hope it helps.
    Jason
  • Zyxel_Jason
    Zyxel_Jason Posts: 394  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @SC_Ivy,

    I have checked your site.
    There is actually no Security gateway(NSG) in your site, so it is normal that you create VLAN 20 interface but not working.
    As I mentioned, please find your real gateway(192.168.1.2) to configure VLAN 20.

    PS. The user may still be able to configure interface if there is no NSG in the site.
    It is for someone who haven't install NSG yet but want to pre-configure first.

    Hope it helps.
    Jason
  • Zyxel_Richard
    Zyxel_Richard Posts: 218  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi  @SC_Ivy

    Just like what you observed, when NAT mode is enabled (and the guest network is enabled), AP can allocate IP address to connected devices, and even block them from accessing each other. (Nor to other devices in the intranet) So this is also a good way to implement your requirement.

    If you want to further limit the client traffic towards other subnet, you can also edit the firewall rule under the SSID profile



    For the DHCP Server concern, we have internal algorithm to avoid IP conflict on those devices.
    If you want to check client's IP address, you can go to [Access Point > Monitor > Client] page, where we summarize the client information as well as the IP address.

    Best Regards,
    Richard

All Replies

  • Zyxel_Jason
    Zyxel_Jason Posts: 394  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @SC_Ivy,

    Welcome to Zyxel community!

    Here are some check points for you:
    1. Please double check if VLAN 20 interface is in the same port group as VLAN 10 interface, which has the physical port connected to GS1920-24HP.

    2. Please check if the uplink port of GS1920-24HP is configure as Type = "Trunk" and Allow VLANs = "All" or "1, 10, 20".

    3. Since SSID name "Guest" is a little common, please make sure the Guest SSID you connect is on your WAX510D.
    You may check the BSSID (It should be the same as AP's MAC address) on your wireless client or change another name and connect again.

    If the problem persist after checking and you need further help, you may enable Zyxel Support at Help > Support request page, share your organization/site name, so we can access your site to check on Nebula CC.


    Hope it helps.
    Jason
  • SC_Ivy
    SC_Ivy Posts: 12
    Friend Collector
    Hi @Zyxel_Jason.

    First of all, your comment is really apreciated. Thank you. Regarding the points commented:

    For sake of clarity (and accordlingly to the third point), I've configured AP's with VLANS 1 and 20. Furthermore, SSIDs have been renamed with more explicit IDs: "SC-Test-1" (old "Corporative" with VLAN1) and "SC-Test-20" (old "Guest" with VLAN20).


    Result: Devices connected to AP by using SSID "SC-Test-1" as VLAN1 is working fine obtaining 192.168.1.x IP address and internet access. But devices connected by using SSID "SC-Test-20", only get 169.254.89.135 IP address (APIPA). 

    1.- Nor VLAN1 neither VLAN10 are configured. VLAN20 is configured in Port Group 1 (not sure the port group for default VLANs). On the other hand, I'm not able to see how to configure the different Port Groups in NCC.


    2.- Uplink port 25 is correctly configured as Type = "Trunk" and "all" (as default value) VLANs are allowed.



    An additional question. If new VLAN interfaces are configured (ID, DHCP Server with a static IP address and mask), does the switch need to be rebooted to apply the new configuration?

    And the last point about aditional support, comment that the Switch is in "Live/Production" environment. For this subject, I'm a bit concern allowing unmonitored access to set new configuration or other operations (i.e. switch reboot).

    Again, thank you for your help. Kind Regards.

     
  • Zyxel_Jason
    Zyxel_Jason Posts: 394  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @SC_Ivy,

    From your first screenshot of gateway, it seems like you don't have a NSG in this site which has GS1920-24HP and WAX510D because you should be able to see Port Group Setting in the Interface addressing page.
    I assume you maybe have it in another organization/site.
    Therefore, please go to that site and configure VLAN 20 interface again.

    For your additional question you mentioned, if you create or re-configure interface on Nebula gateway, you only need to wait the configuration status is up to date which will be shown at device detail page.

    BTW, we will get the agreement from the customer before we do any change or action that may cause service impact. :)

    Thanks.
    Jason
  • SC_Ivy
    SC_Ivy Posts: 12
    Friend Collector
    Hi @Zyxel_Jason

    Not really sure about the NSG configuration. I've been researching on Internet how to check and configure it, but no success on that subject. 

    Zyxel Support flag has been set to enabled, so access granted.

    Thank you for your help and lessons.

     
  • Zyxel_Jason
    Zyxel_Jason Posts: 394  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @SC_Ivy,

    I have checked your site.
    There is actually no Security gateway(NSG) in your site, so it is normal that you create VLAN 20 interface but not working.
    As I mentioned, please find your real gateway(192.168.1.2) to configure VLAN 20.

    PS. The user may still be able to configure interface if there is no NSG in the site.
    It is for someone who haven't install NSG yet but want to pre-configure first.

    Hope it helps.
    Jason
  • SC_Ivy
    SC_Ivy Posts: 12
    Friend Collector
    Hi @Zyxel_Jason.

    Unfortunatly, main gateway (192.168.1.2) is a router provided by the telecom company. So it's not possible to configure VLANs in order to provide a customized gateway configuration.

    I've found a possible workaround by configuring the SSID Guest to use Zyxel DHCP & NAT and clients receive IP addresses in an isolated network. Moreover, setting SSID as Guest Network, Guest devices aren't able to reach the Corporative devices. Cons: VLAN's DHCP server configuration is not operative, so IP addresses are not completely managed by us.

    What's your opinion about the mentioned workaround?

    Sincerely, thank you. 
  • Zyxel_Richard
    Zyxel_Richard Posts: 218  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi  @SC_Ivy

    Just like what you observed, when NAT mode is enabled (and the guest network is enabled), AP can allocate IP address to connected devices, and even block them from accessing each other. (Nor to other devices in the intranet) So this is also a good way to implement your requirement.

    If you want to further limit the client traffic towards other subnet, you can also edit the firewall rule under the SSID profile



    For the DHCP Server concern, we have internal algorithm to avoid IP conflict on those devices.
    If you want to check client's IP address, you can go to [Access Point > Monitor > Client] page, where we summarize the client information as well as the IP address.

    Best Regards,
    Richard
  • SC_Ivy
    SC_Ivy Posts: 12
    Friend Collector
    Hi @Zyxel_Jason and @Zyxel_Richard.

    Really apreciate your comments. There're been very useful to focus this issue and figure out the best solution for this case. We're going to continue analizing our network topology, and get a better configuration for our company.

    Thank you very much. Kind regards. 

Nebula Tips & Tricks