Security

Hi,

 

I've currently some issues with our wireless network and the ACL/Firewall.

I've some thermic printers which are connected via Wifi.

They only need to join 2 hosts, but even in authenticated mode I cannot get it to work, everything is allowed (any any any permit).

And everything I've tested so far is working, only the communication between them (on some ports which uses TCP), they are always in denied mode and I can't figure it out why.

 

If some one could help me figure it out...

 

Best regards,

 

Ludovic 

 

 

What do you see when you run the show datapath session table <ip address> ?

 

And also do a show user ip <ip address>

Are the users also on WiFi?    If so, can you confirm whether you have deny inter-user traffic enabled on the virtual AP?  This can also be enabled globally in the Stateful Firewall under Advanced Services; confirm it is not on.   

 

Also,  does the printer use broadcast/multicast to talk to the host?   Again, confrim whether you are dropping this in the virtual AP.

Hi,

 

For the show datapath session table <ip address> it doesn't show constantly all the traffic if I take the printer IP so here is the output with the AP.

http://pastebin.com/Hew6Yuiw

And for the show user ip

http://pastebin.com/U9EZBbXu

 

The printers are trying to contact other servers in the same VLAN (on the LAN).

It seems that everything that comes to the printer is denied outside the wifi network.

They have a web interface reachable from all locations but when connected to the Wifi only clients connected to same network can open it. If I try to open it from my computer on the LAN the connection dirrectly is in denied state.

 

And yes the printer does some multicast.

 

I'm surely missing something obvious.

 

thanks!

Did you edit the authenticated role?

 

Is the show datapath session output from the IP address of the printer or the AP ?

No it is the one from the RAP, it doesn't keep the connection very long with the printer (it's only right after I start the printer.)

You can see the issue from the screenshot (status section of the printer when it starts, with the "denied" connection).

 

I didn't edit the authenticated role, so rely I don't understand where the problem is...

It seems that every incoming connection is blocked.

How do you have the RAP configured ? Tunneled , split , bridged ?

Can you please share the show rights authenticated ?

Have you tried creating an alias (using printers IP) and then allowing everything for that particular alias or allowing the ports that the printer is trying use ?

Were you to check some of the things that Clembo suggested ?

The RAP are in bridge mode and all SSID's are in used in permanent config.

Here is the result of "show rights authenticated"

http://pastebin.com/s0RwDeab

 

I actually began with my an acl which permited everything this way:

User any any permit

network 192.168.1.0 255.255.255.0 user any permit

 

But it didn't worked, so I just tried with the authenticated rôle and it seems that I've an issue with my configuration.

 

As I said it before, internal traffic isn't denied, because everything works fine with all the clients on the wifi, but if someone outside connected on the LAN throught ethernet try to do something with my clients it's always in denied.

And the printers do use broadcast on the network. I don't have any checkbox which drops broadcast in the vAP, I only have

"Convert Broadcast ARP requests to unicast"

checked in the vAP"

Thanks.

Okay.  Let's talk about what happens in general here:

 

-  "show datapath session table" only works for traffic that is tunneled THROUGH the controller.  Bridge traffic on RAPs do not do this, so you would have to use "show datapath session ap-name <name of ap> <ip address of printer>" to get an accurate understanding of what is going on with that printer.

 

- each RAP is normally assumed to be on a public internet interface, so each RAP has an ACL on that interface that allows traffic from bridge users to get out, but only allows unsolicited  dhcp traffic, ping, and bonjour into the RAP and users on that RAP.  You need to change this so that unsolicited printer traffic can get to that printer that is bridged on that AP.  In the AP system profile of the AP-Group of that RAP, there is a session ACL setting.  Change that from ap-uplink-acl to authenticated to see if you can make that work:

 

Thank you very much!

 

It was the Session ACL! (How could I miss that...).

Everything works fine with the AllowAll policy.

I just need to figure out if I need to only allow 1-2 ip address and eventually the broadcast to the users.