cancel
Showing results for 
Search instead for 
Did you mean: 

ACL filter access GUI wlan to controller

ACL filter access GUI wlan to controller

mario123na
New Contributor
Hi everyone

I need help to filter https wlan traffic to controller for they clients do not access to GUI administration my configuration is this but do not work, my controller is RFS4000 with Wing 5.9.2

rfs4000-FB845F(config)#ip access-list DenyAcces_in

deny tcp 192.168.1.0/24 eq 80 host 10.10.1.210 eq www log rule-precedence 2
deny tcp 192.168.1.0/24 eq 443 host 192.168.1.1 eq https log rule-precedence 3
deny tcp 192.168.1.0/24 eq 443 host 10.10.1.210 eq https log rule-precedence 4
deny tcp 192.168.1.0/24 eq 80 host 192.168.1.1 eq www log rule-precedence 5
deny udp 192.168.1.0/24 eq 80 host 192.168.1.1 eq www rule-precedence 6
deny udp 192.168.1.0/24 eq 443 host 192.168.1.1 eq https log rule-precedence 7
deny udp 192.168.1.0/24 eq 443 host 10.10.1.210 eq https log rule-precedence 8
deny udp 192.168.1.0/24 eq 80 host 10.10.1.210 eq www log rule-precedence 9
permit ip any any log rule-precedence 10

rfs4000-FB845F(config)#wlan wiffi
rfs4000-FB845F(config-wlan-wiffi)#use ip-access-list FabrilAdmin

Can us see What configuration is bad or my error?

Thanks
1 ACCEPTED SOLUTION

ckelly
Extreme Employee
Mario, the IP ACL should look like this:
(Looking at what you have and what I'm stating, it appears that your setup SHOULD be working)

If your RFS4000 is 10.10.1.210 and you want to keep wireless users on the 192.168.1.0/24 network from access the controller, it would look like this:

(For HTTPS - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq https log rule-precedence 1 rule-description Block HTTPS wireless access to RFS4000

(For HTTP - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq http log rule-precedence 2 rule-description Block HTTP wireless access to RFS4000

(Repeat for UDP access)

And then your allow rule for anything else:
permit ip any any log rule-precedence 10


Then, in the WLAN profile, enter:
use ip-access-list in "Name of Rule created to block"

View solution in original post

3 REPLIES 3

mario123na
New Contributor
Thanks, yes, When I saw your answer, I look my configuration and this part is wrong, deny tcp 192.168.1.0/24 eq 80, I bad use the port to exit, since it was to place all the output ports,
finally the rule was as you mention, It is work now

ckelly
Extreme Employee
Mario, the IP ACL should look like this:
(Looking at what you have and what I'm stating, it appears that your setup SHOULD be working)

If your RFS4000 is 10.10.1.210 and you want to keep wireless users on the 192.168.1.0/24 network from access the controller, it would look like this:

(For HTTPS - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq https log rule-precedence 1 rule-description Block HTTPS wireless access to RFS4000

(For HTTP - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq http log rule-precedence 2 rule-description Block HTTP wireless access to RFS4000

(Repeat for UDP access)

And then your allow rule for anything else:
permit ip any any log rule-precedence 10


Then, in the WLAN profile, enter:
use ip-access-list in "Name of Rule created to block"

mario123na
New Contributor
Sorry my last command is bad this is my really command

rfs4000-FB845F(config-wlan-fabril-wiffi)#use ip-access-list in DenyAcces_in
GTM-P2G8KFN