Guest Wifi - restricted subnet access

  • 1
  • Question
  • Updated 4 weeks ago
ZD1100 (I know EOL).  firmware 9.9.1.0 build 52

I've set up GuestWifi and activation and it works very nicely.  I want to restrict users from other subnets so I configured Restricted Subnet Access, however, I can still get to anything on these subnets...ping, file shares, web portals, etc.  Not sure what else I'm doing wrong?9.9.1.0 build 52
Photo of Wayne Eaton

Wayne Eaton

  • 6 Posts
  • 0 Reply Likes

Posted 4 weeks ago

  • 1
Photo of Igor Tunakin

Igor Tunakin

  • 31 Posts
  • 7 Reply Likes
Hi,it because the ACL is wrong. What subnet are you going to block?

You cannot block a subnet and allow some part of it.
Ex.
deny 172.16.0.0/12 means all packets with destination IP from 172.16.0.0 to 172.31.255.255 will be denied.And then you write: allow 172.17.10.3/32
If an ACL has so kind of mistakes it cannot be activated.

(Edited)
Photo of Wayne Eaton

Wayne Eaton

  • 6 Posts
  • 0 Reply Likes
Thank you, I can see that now.  However, if this was working, than probably nothing would be working and my subnets that I'm intending to block would already be blocked by the 172.16.0.0/12.  So this is still not working as I can get to IP's on 172.17.10.0...172.17.40.0...etc.  Is there anything else I need to enable anywhere?
Photo of Igor Tunakin

Igor Tunakin

  • 31 Posts
  • 7 Reply Likes
Could you show your new ACL?
Photo of Wayne Eaton

Wayne Eaton

  • 6 Posts
  • 0 Reply Likes
Sure...here it is...
Photo of Igor Tunakin

Igor Tunakin

  • 31 Posts
  • 7 Reply Likes
looks good. Hmm... it has to work. I just tested a similar config and it is working well. 
Try to create a new Guest Access Service and config new ACL. But this time step by step. Block one subnet and test it. Then a next one..
Photo of Wayne Eaton

Wayne Eaton

  • 6 Posts
  • 0 Reply Likes
Good idea...will do and let you know results.  Thanks.
Photo of Wayne Eaton

Wayne Eaton

  • 6 Posts
  • 0 Reply Likes
Well that seemed to do the trick!  When I created a new Guest Access Service, it put the four 'Deny' policies in place on it's own.  However, I've added the 'allow' policy at the top so that users can get to a Crestron Mercury conferencing device for AirMedia and I can't get to that IP address.  Thoughts?
Photo of Wayne Eaton

Wayne Eaton

  • 6 Posts
  • 0 Reply Likes
Disregard that last note about the Allow rule.  I waited 10 minutes after setting this rule to test it, but I guess it took a little longer for it to work.  I'm all set.  Thanks Igor!