How to block management from Wireless clients on ZF 7372

  • 1
  • Question
  • Updated 1 year ago
I'd like to only permit Management from Ethernet Port 1. I don't want any clients to be able to  see the management UI. I've tried setting the VLAN for management to VLAN 4 and setting up a Subnet for Port 1 on VLAN 4. I setup a subnet for the Radio on VLAN 1 but the wireless clients can still see the Management interface.
Photo of Brett Cherwinski

Brett Cherwinski

  • 2 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
I'm not sure a standalone AP which acts as a router for both VLAN subnets, can "hide" one of it's Eth IP addresses.

If you can experiment, can you now Disable port 1, and still manage the AP from an SSID using VLAN 4?
Photo of Brett Cherwinski

Brett Cherwinski

  • 2 Posts
  • 0 Reply Likes
Wouldn't that lock me out of the manager if I can't get in to it vis SSID?
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
I've just done a test in my simple office lab.

Are you trying to setup a Wireless SSID for clients, but want to keep them from seeing your AP WebUI, right?

So then, you could leave your Eth port(s) configured as Bridge to WAN in VLAN 4 if you wish or is what you use,
and define an Internal Subnet (any other VLAN) and DHCP scope, assign that to your SSID with Local subnet NAT
and Route to WAN, and these wireless clients get an IP from your 'other' VLAN, and should still get thru your internal
network to the Internet.

However, with this configuration, no, I could not prevent the wireless VLAN clients from being able to ping the AP's
IP address on the other VLAN/network. 

Depending on your infrastructure switch/router, you might be able to create an ACL on your VLAN 4 that deny's
the Wireless VLAN subnet, from having HTTPS (tcp:443) to your AP's IP address...?  My simple network can't
test that ACL.