Client Isolation Whitelist Chromecast with R500

  • 1
  • Question
  • Updated 4 months ago

Hello. I walked into a situation that has 4 Ruckus R500 access points. There are 2 SSID's being broadcast, both on VLAN1. One is a private network that has no restrictions other than WPA2 password, the other one has the additional 2 checkboxes set to enable guest isolation (under advanced settings, then on the other tab) and also has a guest isolation whitelist enabled.

The whitelist initially had 1 entry which was the mac address and IP of the gateway. This works, and allows internet access. Removing this makes internet access/dhcp/dns stop working on the guest network (which is not an issue, leaving this enabled)

I have a google chromecast on the normal SSID that has no restrictions. People on that same network can use it just fine. I added it to the same client isolation whitelist though, and cannot ping it / see it / cast to it consistently. The odd thing is that I could very sporadically see/ping it, which I believe to be just a fluke as it only lasted around 30 seconds.

I have updated to the most current firmware as they were 2 years out of date.

Any ideas on what I can try to make it so that this isolated network has a consistently working mac/ip based whitelist? This is also setup as a a Ruckus Unleashed network where one of the APs at any given time is the Master/Controller. I have tried rebooting APs to make a new Master take over, and nothing has changed. I have also tried joining the chromecast to the client-isolated SSID, and that makes it so that neither private network or isolated network can see it consistently.

These SSIDs are on the same VLAN / subnet / dhcp server. As a temporary bandaid, I have made a L3 ACL list that allows all by default but had 2 deny rules where guests cannot hit our server or hit our phone system. I need to find a way to make it so guests cannot hit anything though, except for this chromecast, and the whitelist seems to be failing me. Is this a limitation due to the chromecast also being on the wireless, and in order to turn on the option "Isolate wireless client traffic from all hosts on the same VLAN/subnet", I have to first turn on the option "Isolate wireless client traffic from other clients on the same AP", and maybe the whitelist isn't applying to devices on the same AP and is only applying against the subnet/vlan? If that's the case, I'll just buy a $15 ethernet adapter for the chromecast and be done with this weird problem.
Photo of Sean Conwell

Sean Conwell

  • 3 Posts
  • 0 Reply Likes

Posted 4 months ago

  • 1
Photo of Andrew Giancola

Andrew Giancola

  • 47 Posts
  • 12 Reply Likes
If i recall correctly, you cannot whitelist other wireless clients/Devices.
Photo of Sean Conwell

Sean Conwell

  • 3 Posts
  • 0 Reply Likes
That feels like the case. Which at least I have an ethernet option. Also when I whitelist the 4 APs, I can hit any 3 of the 4, and cannot hit the one I am connected to. So that could be the case.
Photo of Andrew Giancola

Andrew Giancola

  • 47 Posts
  • 12 Reply Likes
Just an FYI, maybe not with Ruckus, but with other vendors, there have been problems with Isolation applying to clients roaming between APs, you may consider setting up a second Vlan, moving your guest traffic over to it.  Relying on isolation for segmentation is not a good idea.
Photo of Sean Conwell

Sean Conwell

  • 3 Posts
  • 0 Reply Likes
Thanks Andrew. I can see about trying to do this. I know I can make that work on a separate VLAN. They would still need to use the isolation as they have a requirement to keep guests isolated from other guests, but I understand the benefits of it also being on a separate vlan. In order to accomplish that, I'll need to get more familiar with mDNS/bonjour gateway forwarding as they still want this 1 Chromecast to be reachable by people on both networks. 

Confident though at this point that at the very least, I need to get the chromecast on the LAN. Once cable connected instead of on WIFI, that will hopefully work, and then I can setup a test SSID on a secondary VLAN, and see if I can get these other requested features to play nice.

Thanks for the quick responses to this. I'm ok with proceeding with the assumption I cannot whitelist a wireless client and can only whitelist other LAN clients.