I have a new Aruba deployment that I'm doing some testing with. We're using AP-345s and I'm demoing Aruba Central. So far, I've set up one AP with a Guest wireless network. The Guest wireless network is just set up with a PSK (no social media logins or portals). Working with support, We created it with Virtual Controller Assigned IPs and a Custom Client VLAN. A matching DHCP scope was created with an appropriate IP range and using 8.8.8.8 as the DNS server. The goal of this guest network is to give full access to the internet, but nothing else. To restrict the access, in the configuration of the Guest network, we set the Access Rules to "Network Based" and created several rules. The first three rules deny "any" protocol access to the Class A, B, and C private address ranges. The last rule allows "any" to "all destinations".
This setup seemed to be working as I could get to the internet while on this network, but was unable to ping any local resources by IP. However, I noticed that when I pinged a local server by name, while the ping would not go through, the IP address would get resolved. I don't know how it would do this short of something communicating with our local DNS servers.
Investigation with Wireshark seems to indicate that the client is only getting DNS responses from 8.8.8.8. When I connect to the guest wireless on our current Fortinet APs, I don't get this behavior. Does anyone have any idea why this could be happening? I've tried changing the DNS to another publicly-accessible server with the same results.