Question

Guest SSID only internet access

  • 29 June 2019
  • 1 reply
  • 298 views

We are setting up a wireless network with AP 7632s. We will have one of the APs as a virtual controller. As per the IP plan, we will be using the 10.1.5.0/24 range and VLAN 5 for all user devices needing internet access. This also goes for Guest Wi-Fi users who connect to the Guest SSID. All Wi-Fi clients get IP addresses from the central DHCP server. This is all working now. But the problem is that there is no restriction for guests. They can access the internal network.

What is the best way to restrict the guest users on this SSID so they can only access the internet and nothing else on the internal network? Is there a way to set the next hop of these users to a default route to the firewall?

1 reply

Userlevel 5
Hello Philip,

As for a starter, I'd recommend some separation in the backbone:
  • one (or many) VLANs for internal users (based on architecture requirements, having things in order, and on scale - good to have just up to 100-200 devices in a broadcast domain, and literally - do employees need to see each other in a VLAN for just Internet access?),
  • one VLAN (or many - VLAN pool for broadcast domain size control) for guests, separate than internal users VLAN ID(s).
Are there any limitations or requirements that would prevent you from doing this?
DHCP server should be configured for multiple scopes (subnets) then, and if in certain VLAN (VLAN 5 I assume), DHCP Relay/BOOTP Relay would have been configured on the gateway router. You can also utilize WiNG AP to work as DHCP server for guest subnets.

Besides VLAN-based devices separation, you can play with stateful firewall that can be role-based, alongside with L7 restrictions (Application Policy), URL white/blacklisting and URL filtering (based on Cyren's categorization of Internet resources). Sky is the limit.

For letting guest users reaching just Internet you can do it in several ways, for instance you can apply an ACL to either a user within a role-based firewall based on an SSID name which the guest connects to, or you can apply that ACL to the entire WLAN. This ACL would permit common ports like 80/443 and some e-mail protocols and deny internal subnets and all the other protocols. However, denying internal subnets can be also achieved on the gateway router that connects the VLANS altogether, while for the guest VLAN itself you are able to disable MU to MU communication on WiNG (or also prevent IP destination of that subnet in ACL).

Options are many, please let us know what route would you like to take so we could assist you further.

Hope that helps,
Tomasz

Reply