cancel
Showing results for 
Search instead for 
Did you mean: 

Can I use AP MAC firewall to limit mobile users roaming with HiveManager NG Connect? How?

Can I use AP MAC firewall to limit mobile users roaming with HiveManager NG Connect? How?

marco_tarquini
New Contributor III

With reference to AP MAC Firewall, @Sam Pirok? 's article looks rather clear to me:

 

https://thehivecommunity.aerohive.com/s/article/Creating-MAC-Firewall-Rules-in-HiveManager

 

But if I'm not wrong, that's to block some MAC addresses from accessing any AP assigned to a specific network policy.

 

What if I wanted to limit the roaming ability of just some mobile users in HiveManager Connect?

 

1 - Can I use some AP MAC Firewall rules to prevent mobile users association to just some AP (not all the APs)?

 

2 - If it's possible, should I just change the destination MAC, from "any" to the MAC of the APs I want to limit? Should I do anything different/further?

 

3 - In case, which MAC should I use in those rules? Is that AP "device MAC" I can see in the monitor tab, or is the BSSID / MAC the mobile clients see when connected to the AP?

 

Thanks in advance for your understanding in the matter!

4 REPLIES 4

marco_tarquini
New Contributor III

Thank you for your commitment and keep up with the good work.

samantha_lynn
Esteemed Contributor III

Thank you for elaborating. I think your best bet is going to be disabling lower data rates, so that the AP requires a stronger signal from the client device before it allows association or roaming. That way the client device that lost one AP near by, would have to connect to another close AP, or the connection would drop all together. You can set this by going to Configure> Open the Network Policy> Open the SSID> Expand Additional Settings> Customize Optional Settings> The first box on this page has the Radio and Rates settings. For the 2.4GHz section, I'd recommend disabling 1-9, for the 5GHz section I'd recommend disabling 6&9, and I'd leave the last section of data rates where it is by default. If you still see client devices roaming to distant APs, you can disable more of the data rates in the first two sections, but these settings are what I recommend you start with, to avoid dropping healthy connections.

 

That said, I know that isn't a MAC-based ACL, I'll keep looking in to this to see if we have an equivalent feature. I'll keep you posted on what I find.

marco_tarquini
New Contributor III

Hi mr. Pirok, nice to "meet" you again here.

I thought about the AP MAC firewall, but obviously I was far from certain that it were the right way to address our need.

 

I'm trying to confine APs coverage to clients located within target regions of varying shapes and sizes.

 

Particularly sometimes (for instance when a specific AP updates/reboots, or if there's a power loss, etc) some clients (which are somewhat on the fence between the coverage print of two different APs) associate with another AP, different than their usual one, which offers sub-optimal throughput/latency to those specific clients, and they don't switch back on the original AP when it come up again for various reasons (please note that currenly I set a rather low Tx power, around 5-10dBm).

We would like to prevent such hiccups within a single PPSK setup, at the point to prefer a loss of connectivity for those clients.

 

I come from old AirOS setup which offered simple MAC-based ACLs which deny/permit specific clients association, but up to now I wasn't able to find a similar functionality in HiveOS.

 

Well, if I were on the wrong track, then I'd be glad to learn what else I should look after.

 

samantha_lynn
Esteemed Contributor III

Sorry for the long wait here, I wanted to confirm a few things before responding. The MAC firewall that the APs can host is for client traffic, not client roaming, so this wouldn't be the way to accomplish your setup. If we did set these rules up, the client device could still roam to the APs you mention in the firewall rules, but wouldn't be able to request any resources from them for the clients (could cause issues if you're using Bonjour for instance). You could adjust which APs are seen as neighboring APs, but that would affect all clients. Can I ask why you are trying to prevent roaming to particular APs that are using the same network policy? If I have a better idea of what we're trying to accomplish and why, I might be able to suggest a better method for doing so.

GTM-P2G8KFN