Often, WiFi deployments include networks for the guests of the respective site they are deployed in. Also, you most likely do not want guests to sniff around in your network and being a potential threat to other guests! Setups configured with Nebula devices make no exception, so let's cover how to set this up on your Nebula Access Points!
Please note: this tutorial will only work properly if you solely use Nebula-deployed access points.
The main solution to this issue is to use Layer-2-Isolation. Layer-2-Isolation will only allow the traffic towards whitelisted destination MAC addresses. This feature is great to isolate guest clients in accessing other devices except for the network gateway. This will efficiently block any undesirable connection attempt within the network.
1) Configure Guest WiFi (Layer 2 Isolation)
Configuration:
1. In the Authentication page, select the guest SSID and scroll down to the bottom to find L2 isolation.
2. Enable L2 isolation and input the MAC address of the gateway PORT where the uplink is, to allow clients to have internet access.
3. If there are other devices in the network that should be allowed to connect, simply press "Add" to create a new entry and enter the MAC of the device.
2) Find your Gateway LAN MAC address
*If you don't know the MAC address of the gateway Port, you can connect under the network and in your CMD or terminal input "arp -a" to find the gateway MAC.
Connected to Access point connected to P4:
Connected directly to firewall on P3:
2.1 Finding LAN MAC Address in Nebula
You can also go into your Nebula Gateway (non-Nebula gateway and calculate the MAC address):
Devices -> Firewall
Example:
If we have the access point connected to port 4, we need to enter the MAC-address ...:A9:E3 into the MAC-table of the layer 2 isolation.
2.2 Finding LAN MAC Address in Stand-alone mode
You can find your MAC Address Range under the Dashboard
But you can also navigate to Configuration -> Ethernet and double-click on your Ethernet interface to view the MAC-address. Here we can see that P1 (sfp) has the first MAC-address of the range.