HPE Community
M and MSM Series
1752564 Members
4762 Online
108788 Solutions
New Discussion

Re: MSM760 - How to isolate Guest VSC / SSID traffic?

 
PC23
Occasional Advisor

‎11-11-2016 01:47 AM - edited ‎11-11-2016 07:54 AM

‎11-11-2016 01:47 AM - edited ‎11-11-2016 07:54 AM

MSM760 - How to isolate Guest VSC / SSID traffic?

Hi,

Have an MSM760 at a site, it has 2 VSCs which are both working fine and getting synced out to all the APs. It's a simple network environment so everything is on the default vlan.

One of the SSIDs/VSCs is meant to be for guest traffic, so I would like to be able to limit clients that connect to this SSID to be able to only get internet access and not be able to connect to other nodes on the network. So in the VSC profile for the guest network, it looks like there is a section there that purports to do exactly what I need, the 'Wireless IP Filter' section at the bottom. It says that by default DNS and DHCP traffic will be allowed anyway, fine, and that I just need to enter my gateway address and a subnet mask of 255.255.255.255 for that single host address, fine, makes sense. I've done all that, and made sure the box is ticked on the 'Wireless IP Filter' section and what is happening is that it DOES prevent wireless clients connected to that SSID from reaching anything on the LAN except the gateway, which is what we want. However we can then not connect to the internet. We cannot load web pages or ping anything on the internet by both IP or hostname.

When we tested this with an iphone, when the 'Wireless IP Filter' was OFF, and we could successfully access the internet, we noticed that the iphone's network settings reported that it had an external IP as well as it's internal IP. However with Wireless IP Filter on, the iphone did not have any external IP, just the internal one (which worked fine, could ping to and from it).

Where am I going wrong?

Thanks.

0 Kudos
5 REPLIES 5
Walter001
Advisor

‎11-15-2016 12:41 PM

‎11-15-2016 12:41 PM

Re: MSM760 - How to isolate Guest VSC / SSID traffic?

Isolation via VLAN or ACLs.

IP-Filter ALLOWS traffic to specific adresses NOT BLOCK.

0 Kudos
PC23
Occasional Advisor

‎11-16-2016 07:41 AM - edited ‎11-16-2016 07:46 AM

‎11-16-2016 07:41 AM - edited ‎11-16-2016 07:46 AM

Re: MSM760 - How to isolate Guest VSC / SSID traffic?

Thanks for your reply.

I'm aware that the IP Filter allows traffic and does not block traffic, what about my post made you think I didn't understand that? The address I am trying to ALLOW traffic to is the gateway and subsequently the internet.

In regards to the information you gave me on isolation, I think you're going into too much detail, just give me the gist of it.

Seriously though, as explained in my original post there is no VLAN'ing going on in this network, it's all the default VLAN with a varied switching environment, some of which do not support VLAN so we can't use that anyway. I would appreciate more information on how I might go about using ACLs to allow clients on the Guest network to ONLY access the internet and nothing else.

I would also really like to know why what I have done so far has not worked though, as far as I can see I have done everything that is required.

0 Kudos
Walter001
Advisor

‎11-17-2016 08:48 AM

‎11-17-2016 08:48 AM

Re: MSM760 - How to isolate Guest VSC / SSID traffic?

Hi,

you ALLOW traffic only to/from default gateway. Internet is greater than than the ip address of your gateway. How you would reach perhaps 8.8.8.8 from your client? Your client-pc calls google-public-dns-a.google.com with ip-adress 8.8.8.8 over your gateway, but you BLOCK (not allow) that.

0 Kudos
PC23
Occasional Advisor

‎11-18-2016 01:02 AM

‎11-18-2016 01:02 AM

Re: MSM760 - How to isolate Guest VSC / SSID traffic?

Yes ok, so what entry do you suggest I make now in the Wireless IP Filter section in order to allow traffic to the internet but not to any of the internal nodes considering there is a maximum of 2 entries and I already have one.

0 Kudos
Walter001
Advisor

‎11-18-2016 08:55 AM

‎11-18-2016 08:55 AM

Re: MSM760 - How to isolate Guest VSC / SSID traffic?

Wireless ip filter on VSC can't help. Isolate with vlans. Block/allow on your default gateway. 

Also you can use firewall-option on internet-port. Default-gateway should be connected to the internet-port then you can configure incoming and outgoing rules.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.