Question

Different Vlan not Communicate


Userlevel 2
Hi,
I am using AP 7532, firmware is 5.9.2. I created two vlan (vlan1 & vlan2) & two SSID (Employee & Guest) in this AP. IP address are vlan1 & vlan2 as 192.168.10.10 & 192.168.2.10. SSID Employee is mapped to vlan1 and Guest is mapped to vlan2. after configuring i connected two client with different SSID. I reached guest to employee. but i cant employee to guest.

Below Client connected to SSID Employee. This Client ip address is 192.168.10.105.



Another Client connected to SSID Guest. that IP address is 192.168.2.20. so Client from 192.168.2.10 to 192.168.10.105 is pinging. but from 192.168.10.105 to 192.168.2.20 is not pinging.

7 replies

Userlevel 4
What is responsible for routing between networks in your environment? It sounds like you possibly reversed your routing and policy logic (meaning employee might be trusted more than guest and only ping in that direction). Regardless, those routes, rules and polocies are up to you.
Userlevel 7
Or the client in the guest network has a personal firewall installed that don't allow to ping the device.
Userlevel 5
Can you show us the 'ip access-list nat-rule' you configured on AP
Userlevel 2
Now i share all my configuration details.
LAN:



WAN:


Wireless:


Services:



Access Point:



Userlevel 2
ap7532-18A21C#sh running-config

!

! Configuration of AP7532 version 5.9.2.0-032R

!

!

version 2.5

!

!

client-identity-group default

load default-fingerprints

!

ip access-list BROADCAST-MULTICAST-CONTROL

permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"

permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"

deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"

deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"

deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"

permit ip any any rule-precedence 100 rule-description "permit all IP traffic"

!

ip access-list default-B8500118A21C-nat

permit ip any any rule-precedence 1

!

mac access-list PERMIT-ARP-AND-IPv4

permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"

permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"

!

ip snmp-access-list default

permit any

!

firewall-policy default

no ip dos tcp-sequence-past-window

no stateful-packet-inspection-l2

ip tcp adjust-mss 1400

!

!

mint-policy global-default

!

meshpoint-qos-policy default

!

wlan-qos-policy Employee

rate-limit client to-air rate 5000

rate-limit client from-air rate 5000

qos trust dscp

qos trust wmm

!

wlan-qos-policy Guest

--More—

rate-limit client to-air rate 5000

rate-limit client from-air rate 5000

qos trust dscp

qos trust wmm

!

wlan-qos-policy default

qos trust dscp

qos trust wmm

!

radio-qos-policy default

!

wlan Employee

description Employee

ssid Employee

vlan 1

bridging-mode local

encryption-type ccmp

authentication-type none

no fast-bss-transition over-ds

wpa-wpa2 psk 0 Employee@123

use wlan-qos-policy Employee

!

wlan Guest

description Guest

ssid Guest

vlan 2

bridging-mode local

encryption-type ccmp

authentication-type none

no fast-bss-transition over-ds

wpa-wpa2 psk 0 Guest@123

use wlan-qos-policy Guest

!

dhcp-server-policy WiNGExpressDhcpSvrPolicy

dhcp-pool default-vlan2-pool

network 192.168.2.0/24

address range 192.168.2.11 192.168.2.20

default-router 192.168.2.10

dns-server 192.168.2.10 8.8.8.8

!

!

management-policy default

telnet

no http server

https server

ip address zeroconf secondary

ip dhcp client request options all

interface vlan2

description Guest

ip address dhcp

interface pppoe1

use firewall-policy default

use client-identity-group default

logging on

service pm sys-restart

router ospf

adoption-mode controller

!

rf-domain default

timezone Asia/Calcutta

country-code in

use nsight-policy default

!

ap7532 B8-50-01-18-A2-1C

use profile default-ap7532

use rf-domain default

hostname ap7532-18A21C

location default

ip name-server 8.8.8.8

ip name-server 4.2.2.2

ip default-gateway 192.168.10.1

interface vlan1

description "WAN Interface"

ip address 192.168.10.10/24

no ip dhcp client request options all

ip nat inside

no shutdown

interface vlan2

description Guest

ip address 192.168.2.10/24

ip nat inside

use dhcp-server-policy WiNGExpressDhcpSvrPolicy

virtual-controller

rf-domain-manager capable

ip dns-server-forward

ip nat inside source list default-B8500118A21C-nat precedence 1 interface vlan1 overload

no adoption-mode

!

!



end
Userlevel 2
awaiting for the reply
Userlevel 5
let us start with configuring the firewall for best practice

How To: How to apply the best practices firewall policy to WiNG APs

Reply