Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Can I isolate a device on a Zyxel VMG8324-B10A  (Read 3390 times)

ktz392837

  • Reg Member
  • ***
  • Posts: 559
Can I isolate a device on a Zyxel VMG8324-B10A
« on: September 07, 2019, 05:54:48 PM »

Does anyone know if I can isolate a WiFi user so they still get Internet access but they can't get access to other users on the network?

Thanks
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #1 on: September 07, 2019, 06:13:29 PM »

Take a look at defining a Guest WiFi SSID and set up appropriate restrictions to keep the user isolated from the LAN.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #2 on: September 08, 2019, 09:26:24 AM »

Yes, it looks like you can define guest networks.
The screenshot is from my 8924 (same device but with addition of 5GHz wifi - firmware is identical) and it looks easy to do.
Go to 'Network Setting' and then 'Wireless' and you'll see the 'Guest/More AP' tab.
 :)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

ktz392837

  • Reg Member
  • ***
  • Posts: 559
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #3 on: September 08, 2019, 04:32:32 PM »

Thanks for replies I wonder if I can define a different IP range for the guest network? 

Its a pity the whole device seems to restart when you change virtually any setting it makes it difficult to experiment without occurring DLM wrath.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #4 on: September 08, 2019, 04:45:40 PM »

Its a pity the whole device seems to restart when you change virtually any setting it makes it difficult to experiment without occurring DLM wrath.

I wasn't aware of that "feature" with those devices.  :-\

However, there is a way around it. Just disconnect the VMG8324-B10A from the incoming line and then make your changes. (Yes, the GUI will then constantly "nag" that it has a problem connecting to your ISP/CP but that can be ignored.)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #5 on: September 09, 2019, 08:10:55 AM »


Its a pity the whole device seems to restart when you change virtually any setting it makes it difficult to experiment without occurring DLM wrath.

I'm sure my one does not do that.
It might drop and reinstate the PPP session (but not the DSL link) for some changes but it doesn't usually need a full restart.
 :)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #6 on: September 09, 2019, 04:51:09 PM »

Yes, it looks like you can define guest networks.
The screenshot is from my 8924 (same device but with addition of 5GHz wifi - firmware is identical) and it looks easy to do.
Go to 'Network Setting' and then 'Wireless' and you'll see the 'Guest/More AP' tab.
Quick read of the document suggests the built in Guest function isolates the client devices from each other, but doesn't specify if it also isolates them from wired devices.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #7 on: September 09, 2019, 07:44:30 PM »

Aesmith’s point is crucial of course.

The ZyXEL NWA3560-N WAPs, which I am using, have two separate functions: (i) isolate wireless stations from one-another, and (ii) a L2 isolation ACL feature which allows you to say “not allowed to talk to any wired or wireless node with the exception of x or y or z …” and you need this because if you want a particular node to be able to talk to the internet it will need to be able to talk to the default gateway ie the router and to a DHCP server, on-lan DNS server if applicable, and so on.
Logged

ktz392837

  • Reg Member
  • ***
  • Posts: 559
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #8 on: September 09, 2019, 08:10:38 PM »

On my 8324:

I couldn't get this to work the WiFi client could still access www pages hosted on lan based clients so not isolated.

I tried the external guest option and even an acl item neither worked for me. 

Unfortunately I am going to have to add specific firewall rules to each machine to deny access to the wifi device I want isolated.  Far from perfect but the best I can do.  I can't trust the router to do it.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #9 on: September 10, 2019, 02:30:14 AM »

IP firewalling isn’t going to work. As this is a layer 2 issue; a guest station can send non-IP Ethernet frames to another machine on the wired LAN and pester them that way.

Is there anything that can be done using VLANs with this router? Put the guest stations into a different VLAN and then have the router do VLAN remapping to get stuff to and from the internet?

Another alternative would be to put the guest machines on a different router in a different, routed IP subnet, firewalled off behind another NAT translator and in their own IP address range.
Logged

ktz392837

  • Reg Member
  • ***
  • Posts: 559
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #10 on: September 10, 2019, 08:17:06 AM »

Thanks for reply it is good to know why at least the acl rules were not working but the wording on the guest WiFi setup on this router is a bit misleading.

There are some VLAN options on the router but whether all the required functionality is present I do not know and getting into the realms of completely not knowing what I am doing.

I wanted to set up two dhcp ranges on the router itself but I could only find a single range and the GUI is not really setup for multiple ranges anyway so seems to point to not possible.

The 2nd router is an idea but not sure I could get it to work (eg how do the 2nd router get internet access etc) it would be in the realms of my experience and capabilities of my equipment.

I am going to try adding rules to Windows and Linux firewalls to block all communication with the device.  It is specific and a pain to keep track of and relying on me to remember to add the rules if I reinstall or other PCs are added to the network but without a better router I guess I am out of luck.

Perhaps when the new WiFi standard is out it is an excuse to look for something new and more configurable.
Logged

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #11 on: September 10, 2019, 08:21:48 AM »

On my 8324:

I couldn't get this to work the WiFi client could still access www pages hosted on lan based clients so not isolated.

I tried the external guest option and even an acl item neither worked for me. 

Unfortunately I am going to have to add specific firewall rules to each machine to deny access to the wifi device I want isolated.  Far from perfect but the best I can do.  I can't trust the router to do it.

My bold above - if they are www pages then I expect they would be accessible as they are on the internet (ie WiFi client goes out to the internet and back in again). 
Or am I reading this wrongly?
 :)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

ktz392837

  • Reg Member
  • ***
  • Posts: 559
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #12 on: September 10, 2019, 12:03:40 PM »

Sorry not clear it is www hosted on local machines not the internet eg DSLstats web interface so if the guest ap was truly isolating clients these shouldn't be accessible - a fundamental reason for using guest in the first place.
« Last Edit: September 10, 2019, 12:10:08 PM by ktz392837 »
Logged

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #13 on: September 10, 2019, 05:27:22 PM »

I've just taken a further look at the setup for this (see screenshot) and see it has a 'Guest WLAN' option with the further option to choose 'External Guest' or 'Home Guest'. Does even the External Guest option not properly isolate it?
 :)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

ktz392837

  • Reg Member
  • ***
  • Posts: 559
Re: Can I isolate a device on a Zyxel VMG8324-B10A
« Reply #14 on: September 10, 2019, 09:43:18 PM »

Unfortunately not External Guest was what I was using.  Thanks for posting though.

I have ended up using ufw in Linux and Windows Firewall to block the IP address of the guest device.  Far from ideal but I can at least trust it assuming I remember to add the rule if I do a full reinstall. Would have much more preferred it configured in the router.
Logged
Pages: [1] 2