Logically segregated WLAN - guest login issue

  • 1
  • Question
  • Updated 3 weeks ago

This should be a simple question but I'm not getting much luck with Ruckus support.

Simply put, we want to use our existing Ruckus infrastructure with an internal WLAN and also a Guest WLAN.  The Guest WLAN is connected to a Guest VLAN which is logically segregated from the internal VLAN.  i.e. the internal VLAN is non-routable from the Guest VLAN.  Internal VLAN has internal DNS servers, Guest VLAN uses Google (8.8.8.8).  The zone director is connected to the internal VLAN.  Nothing too strange so far I don't think.

The Guest login page redirects to the FQDN of the zone director, however I cannot fix the current DNS lookup failure as the clients of the Guest network SHOULD never be able to access the zone director on its internal IP address.

Somehow, if I replace the FQDN with the internal IP address, it DOES work.  I don't know if this is a serious security issue with our Guest VLAN or if the zone director is doing something clever by proxying the GET request.  I can't find any documentation that suggests how this should work.

Ruckus support keep telling me that there is a DNS issue.  Yes, I know that and I can fix that (implement our own DNS servers on the Guest VLAN or somehow persuade the zone director to redirect to it's IP address rather than FQDN), however that doesn't answer the question.  It SHOULDN'T work UNLESS the zone director / access points are doing something sneaky.

Suggestions welcome!

Photo of Ian Addis

Ian Addis

  • 2 Posts
  • 0 Reply Likes

Posted 3 weeks ago

  • 1
Photo of Ian Addis

Ian Addis

  • 2 Posts
  • 0 Reply Likes
Ruckus senior engineer confirmed that the access point and zone director use DNAT to work around the non-routable VLAN.  Problem solved!