Security

I have a new Aruba deployment that I'm doing some testing with.  We're using AP-345s and I'm demoing Aruba Central.  So far, I've set up one AP with a Guest wireless network.  The Guest wireless network is just set up with a PSK (no social media logins or portals).  Working with support, We created it with Virtual Controller Assigned IPs and a Custom Client VLAN.  A matching DHCP scope was created with an appropriate IP range and using 8.8.8.8 as the DNS server.  The goal of this guest network is to give full access to the internet, but nothing else.  To restrict the access, in the configuration of the Guest network, we set the Access Rules to "Network Based" and created several rules.  The first three rules deny "any" protocol access to the Class A, B, and C private address ranges.  The last rule allows "any" to "all destinations".  

This setup seemed to be working as I could get to the internet while on this network, but was unable to ping any local resources by IP.  However, I noticed that when I pinged a local server by name, while the ping would not go through, the IP address would get resolved.  I don't know how it would do this short of something communicating with our local DNS servers.  

Investigation with Wireshark seems to indicate that the client is only getting DNS responses from 8.8.8.8.  When I connect to the guest wireless on our current Fortinet APs, I don't get this behavior.  Does anyone have any idea why this could be happening?  I've tried changing the DNS to another publicly-accessible server with the same results. 

hi toddrf,

does the client get the internal IP resolved by the google dns? Could you confirm this with wireshark? 

Maby it is a dns caching problem with your client? 

BR

Florian

I opened a case with support.  What they were telling me is that because I'm on a virtual controller assigned VLAN that's assigning IPs with an internal scope, the DNS requests will be source-NATed with the master IAP's configured DNS server.  Since the master IAP is configured with our internal DNS server, that's what the Guest clients end up using.  I asked if it is possible to disable this behavior.  The answer I received is that the only way to disable this is to move to a network assigned VLAN with a static VLAN ID.  I was told that I would then need to trunk the AP's wired connection with both the VLAN that the AP and Employee networks use (52) and the one I've set up for Guest (56).  

I've created the new VLAN 56 on the switch that the AP is connected to.  The port that the AP is on is now untagged on 52 and tagged on 56.  I set up our firewall with a port on the 56 VLAN and configured a DHCP server on the firewall as well.  At this point, everything is working as desired.

Thanks for coming back and share the solution with us.