- Community Home
- >
- Networking
- >
- Wireless
- >
- M and MSM Series
- >
- Re: MSM760 - How to isolate Guest VSC / SSID traff...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2016 01:47 AM - edited 11-11-2016 07:54 AM
11-11-2016 01:47 AM - edited 11-11-2016 07:54 AM
MSM760 - How to isolate Guest VSC / SSID traffic?
Hi,
Have an MSM760 at a site, it has 2 VSCs which are both working fine and getting synced out to all the APs. It's a simple network environment so everything is on the default vlan.
One of the SSIDs/VSCs is meant to be for guest traffic, so I would like to be able to limit clients that connect to this SSID to be able to only get internet access and not be able to connect to other nodes on the network. So in the VSC profile for the guest network, it looks like there is a section there that purports to do exactly what I need, the 'Wireless IP Filter' section at the bottom. It says that by default DNS and DHCP traffic will be allowed anyway, fine, and that I just need to enter my gateway address and a subnet mask of 255.255.255.255 for that single host address, fine, makes sense. I've done all that, and made sure the box is ticked on the 'Wireless IP Filter' section and what is happening is that it DOES prevent wireless clients connected to that SSID from reaching anything on the LAN except the gateway, which is what we want. However we can then not connect to the internet. We cannot load web pages or ping anything on the internet by both IP or hostname.
When we tested this with an iphone, when the 'Wireless IP Filter' was OFF, and we could successfully access the internet, we noticed that the iphone's network settings reported that it had an external IP as well as it's internal IP. However with Wireless IP Filter on, the iphone did not have any external IP, just the internal one (which worked fine, could ping to and from it).
Where am I going wrong?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2016 12:41 PM
11-15-2016 12:41 PM
Re: MSM760 - How to isolate Guest VSC / SSID traffic?
Isolation via VLAN or ACLs.
IP-Filter ALLOWS traffic to specific adresses NOT BLOCK.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2016 07:41 AM - edited 11-16-2016 07:46 AM
11-16-2016 07:41 AM - edited 11-16-2016 07:46 AM
Re: MSM760 - How to isolate Guest VSC / SSID traffic?
Thanks for your reply.
I'm aware that the IP Filter allows traffic and does not block traffic, what about my post made you think I didn't understand that? The address I am trying to ALLOW traffic to is the gateway and subsequently the internet.
In regards to the information you gave me on isolation, I think you're going into too much detail, just give me the gist of it.
Seriously though, as explained in my original post there is no VLAN'ing going on in this network, it's all the default VLAN with a varied switching environment, some of which do not support VLAN so we can't use that anyway. I would appreciate more information on how I might go about using ACLs to allow clients on the Guest network to ONLY access the internet and nothing else.
I would also really like to know why what I have done so far has not worked though, as far as I can see I have done everything that is required.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2016 08:48 AM
11-17-2016 08:48 AM
Re: MSM760 - How to isolate Guest VSC / SSID traffic?
Hi,
you ALLOW traffic only to/from default gateway. Internet is greater than than the ip address of your gateway. How you would reach perhaps 8.8.8.8 from your client? Your client-pc calls google-public-dns-a.google.com with ip-adress 8.8.8.8 over your gateway, but you BLOCK (not allow) that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2016 01:02 AM
11-18-2016 01:02 AM
Re: MSM760 - How to isolate Guest VSC / SSID traffic?
Yes ok, so what entry do you suggest I make now in the Wireless IP Filter section in order to allow traffic to the internet but not to any of the internal nodes considering there is a maximum of 2 entries and I already have one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2016 08:55 AM
11-18-2016 08:55 AM
Re: MSM760 - How to isolate Guest VSC / SSID traffic?
Wireless ip filter on VSC can't help. Isolate with vlans. Block/allow on your default gateway.
Also you can use firewall-option on internet-port. Default-gateway should be connected to the internet-port then you can configure incoming and outgoing rules.