NSG local access blocked for guest interfaces
Bram_Lortye
Posts: 4 
Freshman Member
Freshman Member
Hi there,
I use a NSG50, a GS1920-8HP and 2 NAP102.
In the NSG50 i created serveral VLAN's and a VLAN10 for guests (10.10.10.1 with DHCP server from 10.10.10.33-232), i enabled the 'guest'-slide-button in the interface section.
In the AP settings i made a 'guest' SSID with VLAN-ID10 and (did i need to?) enabled the 'guest'-slide-button, so the 'layer-2-isolation' is enabled, and i did enter the MACadress of the NSG50.
So far so good, when i connect to the guest SSID, i can connect to the internet but also can i connect to the nsg's local GUI at 10.10.10.1.
I don't want guest to be able to do this, can i manage to block this IP?
I tried to make an outboud-firewall-rule with source: 10.10.10.0/24 destination: 10.10.10.1 but then i get the error message: INVALID_DST_IP_AND_SRC_IP_DUPLICATE
Perhaps i am doing it all wrong, what i would like to make is a network with 4 VLAN's, all separated from each other with one guest lan that can only access the internet.
If someone could help me in the right direction, thank you very much.
gr. Bram
I use a NSG50, a GS1920-8HP and 2 NAP102.
In the NSG50 i created serveral VLAN's and a VLAN10 for guests (10.10.10.1 with DHCP server from 10.10.10.33-232), i enabled the 'guest'-slide-button in the interface section.
In the AP settings i made a 'guest' SSID with VLAN-ID10 and (did i need to?) enabled the 'guest'-slide-button, so the 'layer-2-isolation' is enabled, and i did enter the MACadress of the NSG50.
So far so good, when i connect to the guest SSID, i can connect to the internet but also can i connect to the nsg's local GUI at 10.10.10.1.
I don't want guest to be able to do this, can i manage to block this IP?
I tried to make an outboud-firewall-rule with source: 10.10.10.0/24 destination: 10.10.10.1 but then i get the error message: INVALID_DST_IP_AND_SRC_IP_DUPLICATE
Perhaps i am doing it all wrong, what i would like to make is a network with 4 VLAN's, all separated from each other with one guest lan that can only access the internet.
If someone could help me in the right direction, thank you very much.
gr. Bram
0
Accepted Solution
-
Hello @Bram_Lortye
Welcome to the Community!!
The error message pop up because your destination IP 10.10.10.1 is included at 10.10.10.0/24, it's the same subnet so it is not doable.
On the other hand, we currently not restrict the guest zone user to access the NSG GUI because consider of the captive portal, for this part I’'ll move this post to the idea section, anyone who like this idea can leave the comment or press like button at below.
/Chris5
Zyxel Employee
All Replies
-
Hello @Bram_Lortye
Welcome to the Community!!
The error message pop up because your destination IP 10.10.10.1 is included at 10.10.10.0/24, it's the same subnet so it is not doable.
On the other hand, we currently not restrict the guest zone user to access the NSG GUI because consider of the captive portal, for this part I’'ll move this post to the idea section, anyone who like this idea can leave the comment or press like button at below.
/Chris5 -
Hi Chris,
Thanks for your reaction, i already was afraid it wasn't doable
Then it also isn't possible to use 2FA for the local login, or disable the local login complete?
If possible i want guests not to be able to crack the local password in any way.
grts. Bram!0 -
Hi Bram,
We'll have the enhancement of this part and the 2FA will be launched on L2TP, I'll private message you about the guest zone case.
/Chris
0 -
When 2FA will be launched on L2TP? It will be launched on IPSEC/L2TP?
Thanks in advance
0 -
Hi @Alfonso
It's L2TP over IPSec VPN support 2FA feature and it will be launched at this year of December.😄
Cheers~
1 -
Thanks @Nebula_Chris
It sounds great.
1
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
