Full Wireless Client Isolation

  • 2
  • Question
  • Updated 9 months ago
Hi

I want to restrict clients to de Default Gateway by putting a checkbox to Client Isolation with whitelist (9.7), but it is not working like in version 9.6.
Problem is: what do I whitelist? If I whitelist the default gateway (only), I don't get an IP-address from DCHP, if I whitelist DHCP-server, I can access shares since it is also file server.
I tested it thoroughly. If I upgrade from 9.6 to 9.7, the radio button from 9.6 is changed to a whitelist named mpff without any rule (which is not possible to set manually).
Any help is appreciated to get the same feature as in 9.6

thanks
Jos Vens
Photo of Jos Vens

Jos Vens

  • 7 Posts
  • 2 Reply Likes

Posted 3 years ago

  • 2
Photo of ICT Lyceum

ICT Lyceum

  • 3 Posts
  • 0 Reply Likes
We have the same problem.
That's why we don't upgrade yet.



Full client isolation is very important and we want it to work.

The manual does not give a very good explanation we think.
You can make whitelists but if we add our DHCP/DNS we also expose our shares (cause the machine is both Active Directory, DHCP, DNS AND FILESERVER)

How do we fix this?
Photo of Rafael van den Berg

Rafael van den Berg

  • 5 Posts
  • 0 Reply Likes
All you need to do is create a Whitelist and then select both the Isolate wireless client traffic from other clients on the same AP and the Isolate wireless client traffic from all hosts on the same VLAN/subnet. But Before you do that you need to create a whilte list by going to Configure/ Access control. On the White list section go ahead and select create new and then name it. Once named in that field you will see another create new in that same window. Add the Devices name and the IP address of your DHCP POOL DG. Also you will need to add the MAC address of the network card on your router that the DHCP addresses are tunneling out of. Then select ok. Once that is done go back to the WLAN. Hit edit and select both of the above for the Full Client Isolation. On the drop down box select the Whitelist name that you just created and hit ok. What this does is create full Client Isolation for the Guests to not be able to talk to one another.

I Forgot one thing. You need to go to Configure and Guest Access. You will need to Allow your ZD to pass traffic to your Router. So in the Restricted Subnets. You will need to create a new one. Select it to be number 1 and allow it. In the field where it asks you to put in a IP address do the DG of your Guest DHCP Pool followed by a /32. This will only allow your ZD to talk to the Router.

You will need to do the following for each WLAN/Vlan and DHCP Pool. I tested this today and when I go to no FClientIsoloation I can ping other People on the network. When I enable it with the whitelist, I can no longer Ping client devices.

Hope this helps as I spent so many hours figuring it out. I am not sure why Ruckus made the change!
Photo of Jos Vens

Jos Vens

  • 7 Posts
  • 2 Reply Likes
Hi Rafael

thanks for your deep testing. Tomorrow, we will try it out, but one thing can still be a problem: you say the router is dhcp.
Problem we have is: server = dhcp, not the router, so if we whitelist the dhcp-server, we give access to the server, and that's just what we want to avoid.

Could it be a solution to whitelist DHCP-server and to make an access control that allows DHCP-protocol?

I'm not sure, we will test it and let you know the solution!
Thanks again,
Jos Vens
Photo of Andrew McCartney

Andrew McCartney

  • 18 Posts
  • 0 Reply Likes
I am trying this using the Virtual mac and IP address of the Default Gateway (Firewall cluster) in the Whitelist and it does not work.
Internet access and DHCP all come through this interface.
Has anybody else had this problem?
Photo of Jos Vens

Jos Vens

  • 7 Posts
  • 2 Reply Likes
Solution found! thanks all, you made me thinking further so I could find a solution to get Full Client Wireless Isolation as it was before firmware 9.7.

Step 1: Whitelist router and dhcp-server if they are different machines
Step 2: make an ACL L3/IP and allow the protocol DHCP, DNS, HTTP and HTTPS

Apply the whitelist by the isolation checkbox and apply the ACL in the advanced options of the WLAN. Ready, works fine: clients can surf on the internet but cannot ping or access files on fileserver (which is in this case also the DHCP-server).

Thanks everyone!
Jos Vens
Photo of Jeret Shuck

Jeret Shuck

  • 1 Post
  • 0 Reply Likes
Hi Jos,

I'm trying to setup the same configuration for a guest network. I have enabled the whitelist, and created the ACL L3. However when selecting the access control options for my guest WLAN, there is no L3 drop down menu, see the screenshot: http://i.imgur.com/qPayGjL.png

Any thoughts or input would be greatly appreciated.