Solved

ACL filter access GUI wlan to controller

  • 8 February 2019
  • 3 replies
  • 203 views

Hi everyone

I need help to filter https wlan traffic to controller for they clients do not access to GUI administration my configuration is this but do not work, my controller is RFS4000 with Wing 5.9.2

rfs4000-FB845F(config)#ip access-list DenyAcces_in

deny tcp 192.168.1.0/24 eq 80 host 10.10.1.210 eq www log rule-precedence 2
deny tcp 192.168.1.0/24 eq 443 host 192.168.1.1 eq https log rule-precedence 3
deny tcp 192.168.1.0/24 eq 443 host 10.10.1.210 eq https log rule-precedence 4
deny tcp 192.168.1.0/24 eq 80 host 192.168.1.1 eq www log rule-precedence 5
deny udp 192.168.1.0/24 eq 80 host 192.168.1.1 eq www rule-precedence 6
deny udp 192.168.1.0/24 eq 443 host 192.168.1.1 eq https log rule-precedence 7
deny udp 192.168.1.0/24 eq 443 host 10.10.1.210 eq https log rule-precedence 8
deny udp 192.168.1.0/24 eq 80 host 10.10.1.210 eq www log rule-precedence 9
permit ip any any log rule-precedence 10

rfs4000-FB845F(config)#wlan wiffi
rfs4000-FB845F(config-wlan-wiffi)#use ip-access-list FabrilAdmin

Can us see What configuration is bad or my error?

Thanks
icon

Best answer by Chris Kelly 8 February 2019, 17:48

Mario, the IP ACL should look like this:
(Looking at what you have and what I'm stating, it appears that your setup SHOULD be working)

If your RFS4000 is 10.10.1.210 and you want to keep wireless users on the 192.168.1.0/24 network from access the controller, it would look like this:

(For HTTPS - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq https log rule-precedence 1 rule-description Block HTTPS wireless access to RFS4000

(For HTTP - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq http log rule-precedence 2 rule-description Block HTTP wireless access to RFS4000

(Repeat for UDP access)

And then your allow rule for anything else:
permit ip any any log rule-precedence 10


Then, in the WLAN profile, enter:
use ip-access-list in "Name of Rule created to block"
View original

3 replies

Sorry my last command is bad this is my really command

rfs4000-FB845F(config-wlan-fabril-wiffi)#use ip-access-list in DenyAcces_in
Userlevel 5
Mario, the IP ACL should look like this:
(Looking at what you have and what I'm stating, it appears that your setup SHOULD be working)

If your RFS4000 is 10.10.1.210 and you want to keep wireless users on the 192.168.1.0/24 network from access the controller, it would look like this:

(For HTTPS - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq https log rule-precedence 1 rule-description Block HTTPS wireless access to RFS4000

(For HTTP - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq http log rule-precedence 2 rule-description Block HTTP wireless access to RFS4000

(Repeat for UDP access)

And then your allow rule for anything else:
permit ip any any log rule-precedence 10


Then, in the WLAN profile, enter:
use ip-access-list in "Name of Rule created to block"
Thanks, yes, When I saw your answer, I look my configuration and this part is wrong, deny tcp 192.168.1.0/24 eq 80, I bad use the port to exit, since it was to place all the output ports,
finally the rule was as you mention, It is work now

Reply