Overview

This guide is design for setup of a guest and private network on a Zyxel access point using layer-2 isolation to isolate/segregate wireless users on the guest network for internet access only.  Layer-2 isolation will prohibit users on the guest network from communicating with each other and devices connected to the private network.

Supported Devices

Running firmware version 4.20 and newer

Wi-Fi Layer-2 Isolation Profile

The Layer-2 Isolation list is a group of devices that bypass segregation/isolation from the network.  In a guest network it is ideal to prevent devices connected to the network from communicating with each other, for security reasons.  This is especially true in hospitality type scenarios such as a coffee shop hotspot or hotel/motel wireless network.  Layer-2 Isolation prevents users from snooping on other patron’s traffic on the same network.  However, some devices such as printers or the internet gateway have to be available for all devices to communicate with.  If Layer-2 Isolation prevents communication with the internet gateway, users will not be able to access the internet, or print documents to a network shared printer.

To setup a list of devices that need to be shared on the guest network, such as the internet gateway, please follow these instructions to create a Layer-2 Isolation profile.

Login to the access point WebGUI and go to menu, Configuration → Object → AP Profile and click on the SSID tab.  From this menu click the "Layer-2 Isolation List" sub-tab and click the Add button to insert a profile.

• Profile Name – Give the L2 profile a name. (ex: L2_Bypass)
• Click the Add button to insert a MAC Address entry for the device that will be allowed to bypass the Layer-2 Isolation.
• Click OK to save the profile.
  

Wi-Fi Security Object

Wi-Fi security is used to protect data being transmitted between the wireless client(s) and wireless base station by encrypting the packets before they are sent over the air.  This will ensure that wireless communications are secure from middleman sniffing out wireless packets.

On the WebGUI go to the Configuration → Object → AP Profile menu and click on the SSID tab.  Underneath the SSID tab menu there are options for SSID List, Security List and MAC Filter List, click on the "Security List" option to begin creating a wireless encryption object.  Click the Add button to insert a new security profile to the list.

• Profile Name – Provide a name for the profile.
• Security Mode – Select the security mode you wish to use from the drop down, options are: None, WEP, WPA2 or WAP2-Mix.  (For this example WPA2 is selected)
• Scroll down to the "Authentication Settings" option and select PSK (if not selected by default).
• Type in a password on the "Pre-Shared Key" field (password can be between 8 and 63 characters long using WPA2).
• For WPA2 encryption the "Cypher Type" should be set to AES only.
• Click the OK button to apply/save the settings.
  

Wi-Fi SSID Object

The SSID object refers to the name the wireless signal will carry (this is the name the wireless clients can see).

On the WebGUI go to the Configuration → Object → AP Profile menu and click on the SSID tab.  Underneath the SSID tab menu there are options for SSID List, Security List and MAC Filter List, click on the "SSID List" option to begin creating a name object for the wireless broadcast.  Click the Add button to insert a new SSID profile to the list.

• Profile Name – Provide a name for the profile.
• SSID – Create a name for the wireless signal.
• Security Profile – Click the drop down and select the security object created in the Security List menu.
• Layer-2 Isolation Profile – Click the drop down and select the object created in the Layer-2 Isolation List menu. (ex: L2_Bypass)
• Click the OK button to apply/save the settings.
  

Wi-Fi AP Management

To apply the Guest network profile just created to the access point’s wireless radio(s), please go to menu Configuration → Wireless → AP Management.  Depending on the access point model it may have 2 radios built-in, a 2.4GHz and 5GHz radio.  Under the "Radio 1 Setting" please check the following:

• Radio 1 Active – This option must be checked for the device to broadcast a signal using this radio.
• Radio 1 OP Mode – The operation mode must be set to "AP Mode" for this setup.
• Scroll down to the "MBSSID Settings" where there are 8 SSID broadcast slots available.  By default only the first slow should be enabled using the default profile.  Edit the second slot to use the guest wireless network profile.  (ex: Guest)
• Repeat the process for "Radio 2 Setting" (if AP is dual-band)
• Click the Apply button to save the settings.
  

Troubleshooting

1. Wireless devices cannot see/detect the Wi-Fi broadcast signal:
• If the access point you purchased has external antennas, make sure they are attached and secure.
• Make sure distance is not an issue, move in closer to the AP (if far away) to see if the wireless device can see/detect the signal when closer.
• Make sure wireless capability on the client host (smartphone, tablet, computer, etc.) is enabled.
• If you used special characters or spaces for the SSID name you programmed on the access point, delete them and try again (if the wireless client does not support special characters on the wireless network name it will not be able to detect the signal).
• Turn wireless radio OFF and ON.
• Reboot the device.
• Check the AP Profile to make sure the "Hidden SSID" checkbox is unchecked.
  Configuration → Object → AP Profile → SSID on the "SSID List" tab edit the broadcast profile.
  
• Contact Zyxel Tech Support for further assistance @ 800-255-4101 option 5 (for Tech Support) followed by option 2 (for Enterprise Wireless). Support is available Monday-Friday from 8:00-17:00 Pacific Time. You can also reach us via email by submitting a support request form here.
2. Cannot associate wireless client connection to Wi-Fi signal:
• If there are any special characters to the wireless password, please remove them.  Client may not support these characters which is preventing the connection.  The password can be edited from Configuration → Object → AP Profile → SSID on the "Security List" tab edit the password profile.
• Disable wireless security on the access point and see if client can connect to the unsecure network.
• Verify that your client supports the encryption method configured on the access point.  (WEP, WPA, WPA2, etc.)
• If MAC filtering is enabled on the access point, make sure the client(s) attempting to establish a connection are on the list.  (if list is based on allowed addresses)
• Set channel width to use 20MHz width only, older/legacy wireless clients do not support networks with higher channel widths.  The channel width can be managed from the Configuration → Object → AP Profile menu.  The Radio tab host both 2.4GHz (default) and 5GHz (default2) spectrum channel setups.
  
• Change wireless channel to rule out wireless interference impeding the connection from establishing.  The wireless broadcast channel can be managed from the Configuration → Object → AP Profile menu.  The Radio tab host both 2.4Ghz (default) and 5GHz (default2) spectrum channel setups.  From this menu the 802.11 mode (802.11b/g, 802.11b/g/n, etc.) and channel width (20MHz or 20/40MHz) can also be tweaked.
  
• Contact Zyxel Tech Support for further assistance @ 800-255-4101 option 5 (for Tech Support) followed by option 2 (for Enterprise Wireless). Support is available Monday-Friday from 8:00-17:00 Pacific Time. You can also reach us via email by submitting a support request form here.