[NEBULA] Layer 2 isolation issue

ComputeInTheCloudComputeInTheCloud Member Posts: 4
edited April 21, 2020 9:38AM in Nebula AP

When I enable layer 2 isolation on my guest SSID which is defined to be on a virtual interface (VLAN10) on the connected NSG50, the system tell us to enter the following: "Please enter at least the gateway MAC address to prevent Internet access restriction". When I enter the MAC address of the secuirty gateway, I get no Internet access. So it appears I am entering the wrong MAC address. Can someone define precisely what ZyXEL means in this context when it states: "Please enter at least the gateway MAC address to prevent Internet access restriction"


I am currently using a demo so that may affect the licensing and feature availability. I don't know if that is germane.

All Replies

  • Nebula_FredaNebula_Freda Zyxel Official Agent Posts: 241  mod

    Hi @ComputeInTheCloud,

    When you enable L2 isolation, the traffic from the station to other devices will be blocked unless the device is in the white list. So, to add the MAC of VLAN interface of GW to the white list is necessary for passing the traffic from the station connected on AP.

    If your DNS or DHCP server are in the Intranet, please also add them to the white list.

    Thanks.

  • RUnglaubeRUnglaube Member Posts: 135  Ally Member

    @ComputeInTheCloud You need to use the MAC address of the LAN interface, which it's not the same as the MAC address you use to register the NSG on Nebula. Use ARP command of a connected device, or even easier, just enable Guest network in the SSID overview page which automatically detects the gateway LAN MAC.

    "You will never walk along"
    唐小鴨
  • So you are actually contradicting yourself. When I engage the Guest setting on the interface, you are correct, it places the MAC address of the gateway in the layer 2 isolation section. Great. (Not the LAN Mac address). why in the name of hell doesn't ZyXEL display the MAC addresses of all the interfaces somewhere in the web interface? When I did this manually, using the same MAC address, it fails. There are just so many problems with the Nebula interface that is almost pointless to name them all. ZyXEL has A LOT of work left to do to make this a viable product.

  • Nebula_FredaNebula_Freda Zyxel Official Agent Posts: 241  mod
    edited February 3, 2020 1:15PM

    Hello @ComputeInTheCloud,

    Thanks for your suggestion.

    When you enable Guest network, the GW MAC address on the AP management VLAN will be added to the L2 isolation white-list as default GW. The GW MAC address on AP management VLAN (NSG's LAN port MAC address) and the MAC address used to register the NSG on NCC will not be the same.

    However, as you mentioned, there's no information on NSG page to show all MAC addresses, so I add it to idea section as below link.

    https://businessforum.zyxel.com/discussion/3811/mac-address-information-on-nsg/p1?new=1

Sign In to comment.