Unleashed: Separate Guest VLAN but GuestPortal only in Default VLAN

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
The R500 Unleashed publishes its Guest Portal on its management IP address.
We setup a separate VLAN for Guests with only internet-access through a fully separated proxy.
The guests in that separate VLAN are redirected to the (unreachable) management IP address for authentication.

To clarify, here is a larger explaination:
Ruckus Unlaeshed AP has fixed IP address 192.168.0.241.It has no option for VLAN tagging settings on it's management, so on the switch we let it land on the default untagged VLAN 1.
For simplicity, we leave it VLAN 1, which is then also our own internal management network.


We create several WLANs, each with a different VLAN setting.
These are recognized on the swich as Tagged VLANs, so we can fully separate them (separate from each other and from our management network).


One WLAN we use for Guests, so we configure the Ruckus internal Guest Portal.
On the Ruckus, this WLAN is configured with VLAN 2 to be fully separated from management and any other network.
Only the Ruckus and a internet proxy are in this network, connected by the switch on VLAN 2.
To avoid confusion, we use a different IP segment: 10.0.0.x on this network.
(but there is nothing on the Ruckus to make the Ruckus aware of that)


When I use a tablet as Guest device and connect to the Guest WLAN, I get redirected to 192.168.0.241 for entering my Guest code.
Since 192.168.0.241 is not reachable from the 10.0.0.x (because it is not in the same IP segment, not routed AND because we are on a different VLAN), it gives a timeout.
Also, we don't want to make 192.168.0.241 available on the Guest network, because that imposes a huge security risk (it's also the management IP).
Photo of Jimmy van der Mast

Jimmy van der Mast

  • 3 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Daniel M

Daniel M

  • 41 Posts
  • 7 Reply Likes

Hey Jimmy,

While I have a similar scenario—Guest network in an isolated VLAN (environment is routed, but Access Control Lists prevent the guest VLAN from accessing other VLANs)—I have not experienced your issue.  While I haven’t looked into this in detail, and I do see that guest’s browsers reflect the management IP, it appears some tricks are being done here as I never actually see any traffic going from the client to the management IP (meaning, I don’t see any traffic going to the management IP over the wire, so this is never being routed and is being handled wirelessly).  That said, I’m using “No authentication” for my Guest Access, so this might be different from what you’re doing.

Cheers.

(Edited)
Photo of Jimmy van der Mast

Jimmy van der Mast

  • 3 Posts
  • 0 Reply Likes
Hi Daniel, that is exactly why you don't run into this problem, you don't use the internal guest portal for authentication. It is that portal that is unreachable from a different vlan, because it can only be in the management vlan... (because it runs on the ip address of the AP)
Photo of Daniel M

Daniel M

  • 41 Posts
  • 7 Reply Likes

That’s possible, but my guests do get the Terms of Use screen and must click on “Accept and Continue” before being able to browse.  For what it’s worth, I don’t use a proxy—perhaps there’s a chance this is interfering.

(Edited)
Photo of Jimmy van der Mast

Jimmy van der Mast

  • 3 Posts
  • 0 Reply Likes
So is there perhaps a form of routing between the guest network and the network where the AP's are configured/managed?
Photo of Louis-Philippe Normandin

Louis-Philippe Normandin

  • 5 Posts
  • 1 Reply Like
I second Jimmy's "feature request" as this is definitely a limitation of the unleashed AP. It has only one IP on the default VLAN for everything, including guest authentication and also for guest pass generation. This is also a security issue as I would like to keep the management IP in a dedicated management VLAN which is not accessible by users, then have the guest login and guest pass generation web pages on another VLAN, maybe even two separate VLANs.