Nebula SSID Layer 2 isolation and network scanners

HPITS
HPITS Posts: 7
First Comment Second Anniversary
edited May 21 in Wireless

Hi.

I configure Nebula with one AP. The SSID has Layer 2 islolation enabled (with or without Guest Network enabled). Firewall MAC address is the only address added/allowed.

Traffic to internet is working fine. Traffic to other physical devices on the the same subnet is blocked/not working as expected (i.e https traffic)..

However, if I connect a wireless Android client to the SSID and scan the network using i.e the Android app "Net Analyzer" it finds all the devices connected to the switch(es) on the same subnet.

Can this be prevented?

Regards

Accepted Solution

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,631  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    Answer ✓

    Hi @HPITS ,

    With the current mechanism of L2 isolation, it is to

    • Allow multicast packets,
    • Allow broadcast packets
    • Allow packets from a configured Wi-Fi interface if the destination MAC is on the list (e.g., GW MAC)
    • Drop other packets from the configured Wi-Fi interface.

    Usually, scanner software will send an ARP request to ask all the IPs in a subnet and ARP request is broadcast. Though ARP reply is unicast, it will be allowed since its source interface is not the Wi-Fi's L2 isolation interface. Once the scanner receives an ARP reply, it knows the corresponding IP has a device.

    Reversing rules 3 & 4 (only allowing packets from whitelisted MACs on the Wi-Fi output interface, others are dropped) can block the ARP reply part, but this software will still use UPnP or Bonjour (mDNS) to find services. They are of the allowed multicast type, so they can still be discovered.

    In addition, if blocking broadcast/ multicast, there may cause abnormalities in some applications.

    To sum up, in the network with wired clients, please refer to the port isolation feature to check whether achieve the requirement. For AP, since all Ethernet devices are on the uplink port side, it is not possible to achieve the same effect as port isolation.

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @HPITS,

    May I know which AP you are using and the firmware version? Thank you beforehand.

    Zyxel Melen


  • HPITS
    HPITS Posts: 7
    First Comment Second Anniversary

    Hi

    WAC6103D-I FW version 6.28

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,631  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    Answer ✓

    Hi @HPITS ,

    With the current mechanism of L2 isolation, it is to

    • Allow multicast packets,
    • Allow broadcast packets
    • Allow packets from a configured Wi-Fi interface if the destination MAC is on the list (e.g., GW MAC)
    • Drop other packets from the configured Wi-Fi interface.

    Usually, scanner software will send an ARP request to ask all the IPs in a subnet and ARP request is broadcast. Though ARP reply is unicast, it will be allowed since its source interface is not the Wi-Fi's L2 isolation interface. Once the scanner receives an ARP reply, it knows the corresponding IP has a device.

    Reversing rules 3 & 4 (only allowing packets from whitelisted MACs on the Wi-Fi output interface, others are dropped) can block the ARP reply part, but this software will still use UPnP or Bonjour (mDNS) to find services. They are of the allowed multicast type, so they can still be discovered.

    In addition, if blocking broadcast/ multicast, there may cause abnormalities in some applications.

    To sum up, in the network with wired clients, please refer to the port isolation feature to check whether achieve the requirement. For AP, since all Ethernet devices are on the uplink port side, it is not possible to achieve the same effect as port isolation.

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • HPITS
    HPITS Posts: 7
    First Comment Second Anniversary

    Thank you for an informative answer. Have a nice day!

    Regards