Wireless Access

Reply
Occasional Contributor I

Block access from Guestnetwork to Internal

Hallo i have following setup:

 

Router

10.10.0.254

Controller:

10.10.0.251 Interface 0/0/0

172.16.3.251 Interface 0/0/1 (DHCP for Guestnetwork active)

 

So when i login to the guest wifi, the login page is shown and i can login with username and password!

I see that i have an ip 172.16.3.1 and i can browse the www.

But i have also access to my local network 10.10.0.0, so i can access to my esxi server with ip 10.10.0.1!

 

how can i block the access to my local network?

i have tried disabling intervlan-routing, but no luck.

 

 

 

 

Aruba Employee

Re: Block access from Guestnetwork to Internal

What is the user role that your guest user ends up in? Have you modified the policies that make up that role?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Block access from Guestnetwork to Internal

I have created the guest wlan with the wizard!
Nothing change after this!
Aruba Employee

Re: Block access from Guestnetwork to Internal


@d.stratmann wrote:
I have created the guest wlan with the wizard!
Nothing change after this!

So you're default guest role probably looks something like this:

 

user-role guest
 access-list session global-sacl
 access-list session apprf-guest-sacl
 access-list session ra-guard
 access-list session http-acl
 access-list session https-acl
 access-list session dhcp-acl
 access-list session icmp-acl
 access-list session dns-acl
 access-list session v6-http-acl
 access-list session v6-https-acl
 access-list session v6-dhcp-acl
 access-list session v6-icmp-acl
 access-list session v6-dns-acl
!

So while it's only allowing basic services like DNS, DHCP, web (http/https) and ICMP, it does not know anything about your internal network or what address ranges you might want to limit or allow.

 

Do you have the Policy Enforcement Firewall (PEFng) license installed on your controller?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Block access from Guestnetwork to Internal

Yes i have PEFng!
I have tried to add a policy in the role guest, witch, witch Source any, destination as network 10.10.0.0/24 and service any but when i submit this change i can apply the pending changes, after this i cant the the policy!
Aruba Employee

Re: Block access from Guestnetwork to Internal

Pending changes ... are you running firmware version 8.x then?

 

First, create a new policy, something like block_internal_net. This would be to protect your internal network, so I would use "user network 10.10.0.0 255.255.255.0 any deny". Then add the new policy that was created (block_internal_net, or whatever you called it) to the guest role. the position needs to be above the policies that permit web traffic.

 

The caveat here is that if the guest users DNS or DHCP servers reside in the 10.10.0.0/24 subnet, they will need to be excluded from the block.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Block access from Guestnetwork to Internal

Yes it is running 8.3.
I will try it after weekend.
DHCP is running on controller
Occasional Contributor I

Re: Block access from Guestnetwork to Internal

I set up the policy and added them to the role, everything is working! thanks for the infos!

 


 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: