HPE Community
Comware Wireless / Unified Series
1849072 Members
6827 Online
104041 Solutions
New Discussion

Re: Guest Wireless - frustration

 
JesseR
Regular Advisor

‎07-13-2014 09:38 AM

‎07-13-2014 09:38 AM

Guest Wireless - frustration

This should be SO simple, but no one at HP seems to know HOW it's done, good grief.

 

I setup a Guest Wireless SSID (on its own VLAN).   *HOW* in the world do you configure the controller to prevent those guest users from accessing the corporate/production network?!    On the MSM controllers, this was so simple.

 

Example

Guest network 192.168.1.0/24

Corporate networks: 172.20.0.0/16, 172.21.0.0/16

 

All I want is for the guest users to NOT have access to the 172.x.0.0/16 networks.   I've tried creating ACLs on the 850, but they don't work.  HP tech support has been clueless. 

 

This is such a BASIC and SIMPLE request for any kind of wireless solution, why is the Unified so difficult for doing this?

 

 

Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

1 person had this problem.
0 Kudos
2 REPLIES 2
Peter_Debruyne
Honored Contributor

‎07-18-2014 09:22 AM

‎07-18-2014 09:22 AM

Re: Guest Wireless - frustration

Hi,

 

You can either build an ACL and apply it to the L3 Vlan interface or use the portal forbidden rule, example:

portal forbidden-rule 10 destination ip 10.0.0.0 mask 255.0.0.0

 

See

http://abouthpnetworking.com/2014/05/29/hp-unified-wireless-portal-authentication-for-extended-layer2-guest-subnet/

for a sample configuration,

 

Hope this helps,

best regards,Peter

0 Kudos
JesseR
Regular Advisor

‎10-20-2014 01:40 PM

‎10-20-2014 01:40 PM

Re: Guest Wireless - frustration

I figured out how to do this a couple weeks ago, forgot to post the answer.

 

Isolating your guest wireless on the Unified is fairly simple (though the documentation on HOW to do it is HORRIBLE). You do NOT need a high end switch to do the ACLs for you, you can do it right on the controller.

 

 

Create an ACL... for example..

#
acl number 3000
description Block All Internal Networks Except Specific Server-Ports
rule 10 permit tcp destination 172.20.0.14 0 destination-port eq www
rule 15 permit tcp destination 172.20.0.14 0 destination-port eq 443
rule 20 permit tcp destination 172.20.0.35 0 destination-port eq 443
rule 25 permit udp destination 172.30.0.5 0 destination-port eq dns
rule 30 deny ip destination 172.16.0.0 0.15.255.255

 

(this will block traffic on the guest network (let's say the guest network is a 192.168.10.x/24) from accessing the entire Class-B network range which is used for your wired networks, with the exception of a few specific servers/services)

 

Then apply that ACL using firewall rules to the SSID...

 

#
interface WLAN-ESS1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 555 untagged
port hybrid pvid vlan 555
mac-vlan enable
firewall packet-filter 3000 inbound
firewall packet-filter 3000 outbound

 

 

I believe you need to be at least on firmware code P26 for this... ?

 

 

JR

Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.