Aruba Instant & Cloud Wi-Fi

Reply
Contributor II
Posts: 50
Registered: ‎09-12-2013

Issues setting up guest network.

Setting up instant environment for the first time and I am having issues setting up my guest networks access rules.  I want to deny all internal traffic and allow all traffic to the outside. My thought was to make blanket deny's such as deny any to network 10.0.0.0/255.0.0.0 but when I but that rule in place at the top of my access rules I suddenly have no internet access on the guest network.  This is an IAP-225 running the latest AOS.

 Capture.PNG

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Issues setting up guest network.

What is your DNS server?  Also, consider the ordering of those rules.  Why not place the deny statement below dhcp and DNS?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 50
Registered: ‎09-12-2013

Re: Issues setting up guest network.

my thought is that the allows are already opening up my network to that type of traffic.... Is that not the case?

Guru Elite
Posts: 8,035
Registered: ‎09-08-2010

Re: Issues setting up guest network.

[ Edited ]

If your DHCP server is in 10.0.0.0/8, DHCP is being blocked by the first rule.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Issues setting up guest network.


AGarner wrote:

my thought is that the allows are already opening up my network to that type of traffic.... Is that not the case?


No - it's not.  The ordering is important as the rules are enforced from the top down.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Moderator
Posts: 681
Registered: ‎04-16-2009

Re: Issues setting up guest network.

Rules are evaluated from the top down.  If your DNS server is in the 10.x.x.x network then access to it is being blocked.   By moving the DNS rule above the first rule the client will be able to resolve.  I'm assuming DHCP is not an issue if this is the Guest Network adn the IP assignment is coming from the IAP.

Contributor II
Posts: 50
Registered: ‎09-12-2013

Re: Issues setting up guest network.

DHCP is being served by AOS but i get what you are saying. My thought is that the AP live on vlan 85 with a gateway of 10.10.85.1 and my firewall is 192.168.100.11/24.  do i need to allow traffic to 10.10.85.1 (wireless vlan gateway), 192.168.100.1 (gateway for firewalls vlan) and 192.168.100.11 (firewall)?

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Issues setting up guest network.

[ Edited ]

Think about the destinations from the clients.  You don't need to explicitly allow access to the gateway or the firewall unless those are the intended destinations.  The clients will use DNS to resolve a URL name and then build a packet to that destination.  Say www.google.com will go to 74.125.226.18.  It will hit the gateway but in the packet, the destination IP will be 74.125.226.18 and therefore be allowed by the role in the IAP. 

 

Something else may be blocking this.  Try SSH'ing to the VC and then issue a "show datapath session" and look for the client's traffic.  Pay particular attention to the last column for any D flags which indicate denied packets because of the rules.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: