Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Guest wifi firewall policy

This thread has been viewed 2 times

  • 1.  Guest wifi firewall policy

    Posted Oct 29, 2018 12:49 PM

    How to setup guest wifi firewall policy to allow internet traffic and block internal resources or network?



  • 2.  RE: Guest wifi firewall policy
    Best Answer

    Posted Oct 30, 2018 04:01 AM

    So we are talking Instant?

     

    Under the access tab when configuring the SSID you can choose network-based access, which basically allows you to make an access list for all users associated with that SSID.

    This is usually how i configure my ACL for guest networks.

    Allow DNS to any destination

    Allow DHCP to any destination

    Deny any to 10.0.0.0 255.0.0.0.0

    Deny any to 172.16.0.0 255.240.0.0

    Deny any to 192.168.0.0 255.255.0.0

    Allow any to any destination

     

    There are obviously some modifications you can do here, for example if you are using google DNS servers the first rule would not be needed. Or just specify the DNS server which are handed out by the DHCP server.



  • 3.  RE: Guest wifi firewall policy

    Posted Oct 30, 2018 10:11 AM

    Can we do: (changes are in underline)

    Allow DNS to any destination

    Allow DHCP to any destination

    Allow http to any destination

    Allow https to any destination

     

    Deny any to any destination



  • 4.  RE: Guest wifi firewall policy

    Posted Oct 30, 2018 10:36 AM

    If the goal is to only use HTTP/HTTPS for guest users then yea probably.

    Keep in mind that if your guest VLAN is not completely isolated (which is should be anyways) guest users may be able to reach some kind of internal webservers.

     

    Pretty sure there is a deny all rule in the end of all ACLs, so that wouldnt be needed.