Often, WiFi deployments include networks for the guests of the respective site they are deployed in. Also, you most likely do not want guests to sniff around in your network and being a potential threat to other guests! Setups configured with Nebula devices make no exception, so let's cover how to set this up on your Nebula Access Points!
Please note: this tutorial will only work properly if you solely use Nebula-deployed access points.
The main solution to this issue is to use Layer-2-Isolation. Layer-2-Isolation will only allow the traffic towards whitelisted destination MAC addresses. This feature is great to isolate guest clients in accessing other devices except for the networks gateway. This will efficiently block any undesireable connection attempt within the network.
1. In Authentication page, select the guest SSID and scroll down to the bottom to find L2 isolation.
2. Enable L2 isolation and input the MAC address of the gateway PORT where the uplink is, to allow clients to have internet access.
*If you don't know the MAC address of the gateway Port, you can connect under the network and in your CMD or terminal input "arp -a" to find the gateway MAC.
3. If there are other devices in the network that should be allowed to connect, simply press "Add" to create a new entry and enter the MAC of the device.