Guest Wireless Issues with 500H - Layer 2 Isolation

Hi @DaviD42,

I understand you're experiencing guest Wi-Fi issues with your Nebula setup after a firmware upgrade, specifically with DNS timeouts and no internet access, despite devices obtaining IP addresses and adding the MAC to the wireless isolation whitelist.

Here are some steps to troubleshoot the issue:

• Verify Layer 2 Isolation Whitelist for correct ＭAC address of the firewall port: When Layer 2 isolation is enabled, only traffic to whitelisted destination MAC addresses is allowed. Even if you've added the 500H's MAC address to the whitelist, if it is not the correct port MAC of the connecting port, the traffic is still blocked by the AP. Please ensure you configure the correct MAC address. EX. Your firewall's MAC address is XX:94:FE ~ XX:95:09, and your switch is connecting to port 5 (MAC address is XX:95:02). The MAC address you need to set in Layer 2 Isolation Whitelist is XX:95:02.
• Check DNS Server Reachability: Even after setting public DNS servers (1.1.1.1 and 8.8.8.8), if the guest network cannot reach them due to firewall rules or routing issues on the 500H, DNS resolution will still fail. Confirm that the 500H firewall rules permit DNS traffic (UDP port 53) from the guest VLAN to the internet (for 1.1.1.1 and 8.8.8.8) or to the 500H itself if it's acting as the DNS server.
• Review Firewall Rules on 500H: Firmware upgrades can sometimes alter or reset firewall configurations. Double-check the firewall rules on your 500H to ensure that traffic from the guest VLAN to the internet is allowed and not being inadvertently blocked. Also, confirm there are no rules blocking DNS queries specifically.
• Confirm Uplink Connectivity: Although the business SSID works, guest traffic may follow a different forwarding path. Perform ping tests from a guest client to confirm reachability to the AP and the upstream firewall.
• Test with Public DNS on Client: As a temporary diagnostic step, directly configure a guest client with public DNS servers like 8.8.8.8 and 8.8.4.4 to see if this bypasses any DNS resolution issues originating from your 500H or its configuration.

To further assist you, please provide the following information:

• Firmware Version: The exact firmware versions of your 500H firewall, 1900 series switches, and 630s APs.
• Network Topology Map: A simple diagram or description of how your devices are connected, including VLAN assignments.
• Screenshot of Nebula SSID Advanced Settings: A screenshot of your guest Wi-Fi's "SSID advanced settings" in Nebula, specifically the Layer 2 isolation section.
• Screenshot of 500H Firewall Rules: Screenshots of any relevant firewall rules on your 500H that apply to the guest VLAN.
• Enable Zyxel Support Access: Please enable Zyxel Support Access via Help > Support Request in your Nebula console. This allows our support team to directly view your cloud environment configuration, significantly shortening troubleshooting time.
• Organization and Site Name: Provide the name of your Nebula Organization and Site.