Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Issues setting up guest network.

This thread has been viewed 2 times

  • 1.  Issues setting up guest network.

    Posted Aug 19, 2014 01:51 PM

    Setting up instant environment for the first time and I am having issues setting up my guest networks access rules.  I want to deny all internal traffic and allow all traffic to the outside. My thought was to make blanket deny's such as deny any to network 10.0.0.0/255.0.0.0 but when I but that rule in place at the top of my access rules I suddenly have no internet access on the guest network.  This is an IAP-225 running the latest AOS.

     Capture.PNG



  • 2.  RE: Issues setting up guest network.

    EMPLOYEE
    Posted Aug 19, 2014 01:55 PM

    What is your DNS server?  Also, consider the ordering of those rules.  Why not place the deny statement below dhcp and DNS?



  • 3.  RE: Issues setting up guest network.

    Posted Aug 19, 2014 02:05 PM

    my thought is that the allows are already opening up my network to that type of traffic.... Is that not the case?



  • 4.  RE: Issues setting up guest network.

    EMPLOYEE
    Posted Aug 19, 2014 02:06 PM

    If your DHCP server is in 10.0.0.0/8, DHCP is being blocked by the first rule.



  • 5.  RE: Issues setting up guest network.

    Posted Aug 19, 2014 02:12 PM

    DHCP is being served by AOS but i get what you are saying. My thought is that the AP live on vlan 85 with a gateway of 10.10.85.1 and my firewall is 192.168.100.11/24.  do i need to allow traffic to 10.10.85.1 (wireless vlan gateway), 192.168.100.1 (gateway for firewalls vlan) and 192.168.100.11 (firewall)?

     



  • 6.  RE: Issues setting up guest network.
    Best Answer

    EMPLOYEE
    Posted Aug 19, 2014 02:16 PM

    Think about the destinations from the clients.  You don't need to explicitly allow access to the gateway or the firewall unless those are the intended destinations.  The clients will use DNS to resolve a URL name and then build a packet to that destination.  Say www.google.com will go to 74.125.226.18.  It will hit the gateway but in the packet, the destination IP will be 74.125.226.18 and therefore be allowed by the role in the IAP. 

     

    Something else may be blocking this.  Try SSH'ing to the VC and then issue a "show datapath session" and look for the client's traffic.  Pay particular attention to the last column for any D flags which indicate denied packets because of the rules.



  • 7.  RE: Issues setting up guest network.

    EMPLOYEE
    Posted Aug 19, 2014 02:07 PM
    @AGarner wrote:

    my thought is that the allows are already opening up my network to that type of traffic.... Is that not the case?

    No - it's not.  The ordering is important as the rules are enforced from the top down.



  • 8.  RE: Issues setting up guest network.

    Posted Aug 19, 2014 02:07 PM

    Rules are evaluated from the top down.  If your DNS server is in the 10.x.x.x network then access to it is being blocked.   By moving the DNS rule above the first rule the client will be able to resolve.  I'm assuming DHCP is not an issue if this is the Guest Network adn the IP assignment is coming from the IAP.