USG110 best WiFi AP settings for internet only

kyssling
kyssling Posts: 107  Ally Member
First Comment First Answer Friend Collector Sixth Anniversary
in Security

Hello,
I would like to get advice on setting up (or changing) WiFi security
and setting USG110 for internet connection via AP DLink.

Now I have the following setup:
USG110 gate 192.168.271.254

AP DLink connected to LAN.
WAN 192.168.271.252
LAN 192.168.1.1
assigns DHCP 192.168.1.100-200

The AP should ONLY be used to connect to the Internet (not to the LAN).
AP - current FW, WPA2/PSK, hidden SSID, whitelist of allowed MAC addresses.

Unfortunately, I also ping the internal network 192.168.271.254, map the disk, etc.

How best to set the option to connect only to the Internet (by AP) in this configuration?
a)
should I connect the AP to another port on the firewall and set a rule for AP ?
b)
Or is it sufficient to set routing for 192.168.271.252 on the firewall?

Question :
This is rather general ... it can be said that I have done the maximum possible in terms of security -
(WPA2/PSK, hidden SSID, whitelist of allowed MAC addresses) + additional adjustment a) or b) ?

Thanks for tips or anwers ...

Vaclav

All Replies

  • PeterUK
    PeterUK Posts: 3,387  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 2023

    This AP Dlink is a router being used as a AP? You likely want to put it on another port of the USG and not use the WAN port on Dlink then without rules like LAN to ANY but LAN to WAN or give interface it own zone

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited June 2023

    Hi @kyssling,

    On the AP DLink, check if it has the operation mode such as “Access Point” or "bridge mode" and select this operation mode. Connect the AP to another lan interface and assign this lan interface to another zone. Then create security policy rules to block this zone from accessing other lan zones.

  • kyssling
    kyssling Posts: 107  Ally Member
    First Comment First Answer Friend Collector Sixth Anniversary

    Hello, thank you for advice, can I ask for more detail ...

    I connect AP to port 5 on USG110 and set it as LAN2. IP address on port 5 (LAN2) 192.168.2.1 (DHCP, DNS set)

    What minimum PolicyControl do I need to set (only for internet web browsing on cellphone or tablets connected via AP - no VPN etc.)

    LAN2 to WAN allow
    LAN1 to LAN2 deny
    LAN2 to LAN1 deny
    LAN2 to Zywall deny (?)
    WAN to LAN2 deny (?)

    Thank you !

  • PeterUK
    PeterUK Posts: 3,387  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Default rules for LAN1 and LAN2 is to ANY so you want to change that to WAN so that LAN2 can't get to LAN1

    As for internet web browsing only you can make a group of services with 80(HTTP), 123(NTP), 443 (HTTPS) 53 (DNS)? unless you go from LAN2 to Zywall for DNS games can be blocked by this limited group

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)