Security

Hallo i have following setup:

 

Router

10.10.0.254

Controller:

10.10.0.251 Interface 0/0/0

172.16.3.251 Interface 0/0/1 (DHCP for Guestnetwork active)

 

So when i login to the guest wifi, the login page is shown and i can login with username and password!

I see that i have an ip 172.16.3.1 and i can browse the www.

But i have also access to my local network 10.10.0.0, so i can access to my esxi server with ip 10.10.0.1!

 

how can i block the access to my local network?

i have tried disabling intervlan-routing, but no luck.

 

 

 

 

What is the user role that your guest user ends up in? Have you modified the policies that make up that role?

I have created the guest wlan with the wizard!
Nothing change after this!

---

@d.stratmann wrote:
I have created the guest wlan with the wizard!
Nothing change after this!

---

So you're default guest role probably looks something like this:

 

user-role guest
 access-list session global-sacl
 access-list session apprf-guest-sacl
 access-list session ra-guard
 access-list session http-acl
 access-list session https-acl
 access-list session dhcp-acl
 access-list session icmp-acl
 access-list session dns-acl
 access-list session v6-http-acl
 access-list session v6-https-acl
 access-list session v6-dhcp-acl
 access-list session v6-icmp-acl
 access-list session v6-dns-acl
!

So while it's only allowing basic services like DNS, DHCP, web (http/https) and ICMP, it does not know anything about your internal network or what address ranges you might want to limit or allow.

 

Do you have the Policy Enforcement Firewall (PEFng) license installed on your controller?

Yes i have PEFng!
I have tried to add a policy in the role guest, witch, witch Source any, destination as network 10.10.0.0/24 and service any but when i submit this change i can apply the pending changes, after this i cant the the policy!

Pending changes ... are you running firmware version 8.x then?

 

First, create a new policy, something like block_internal_net. This would be to protect your internal network, so I would use "user network 10.10.0.0 255.255.255.0 any deny". Then add the new policy that was created (block_internal_net, or whatever you called it) to the guest role. the position needs to be above the policies that permit web traffic.

 

The caveat here is that if the guest users DNS or DHCP servers reside in the 10.10.0.0/24 subnet, they will need to be excluded from the block.

Yes it is running 8.3.
I will try it after weekend.
DHCP is running on controller

I set up the policy and added them to the role, everything is working! thanks for the infos!

 

---

 

Hiii, I'm having the same problem. Im really new to aruba, can you tell me step by step how to do this?

i mean, i dont know which profile im using for guest wifi and i dont know how to create de policy and ad it to that profile.

 

Thanks!!