This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

ACL filter access GUI wlan to controller

ACL filter access GUI wlan to controller

Go to solution
mario123na
New Contributor

ā€Ž02-08-2019 04:17 PM

Hi everyone

I need help to filter https wlan traffic to controller for they clients do not access to GUI administration my configuration is this but do not work, my controller is RFS4000 with Wing 5.9.2

rfs4000-FB845F(config)#ip access-list DenyAcces_in

deny tcp 192.168.1.0/24 eq 80 host 10.10.1.210 eq www log rule-precedence 2
deny tcp 192.168.1.0/24 eq 443 host 192.168.1.1 eq https log rule-precedence 3
deny tcp 192.168.1.0/24 eq 443 host 10.10.1.210 eq https log rule-precedence 4
deny tcp 192.168.1.0/24 eq 80 host 192.168.1.1 eq www log rule-precedence 5
deny udp 192.168.1.0/24 eq 80 host 192.168.1.1 eq www rule-precedence 6
deny udp 192.168.1.0/24 eq 443 host 192.168.1.1 eq https log rule-precedence 7
deny udp 192.168.1.0/24 eq 443 host 10.10.1.210 eq https log rule-precedence 8
deny udp 192.168.1.0/24 eq 80 host 10.10.1.210 eq www log rule-precedence 9
permit ip any any log rule-precedence 10

rfs4000-FB845F(config)#wlan wiffi
rfs4000-FB845F(config-wlan-wiffi)#use ip-access-list FabrilAdmin

Can us see What configuration is bad or my error?

Thanks
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
ckelly
Extreme Employee

ā€Ž02-08-2019 04:48 PM

Mario, the IP ACL should look like this:
(Looking at what you have and what I'm stating, it appears that your setup SHOULD be working)

If your RFS4000 is 10.10.1.210 and you want to keep wireless users on the 192.168.1.0/24 network from access the controller, it would look like this:

(For HTTPS - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq https log rule-precedence 1 rule-description Block HTTPS wireless access to RFS4000

(For HTTP - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq http log rule-precedence 2 rule-description Block HTTP wireless access to RFS4000

(Repeat for UDP access)

And then your allow rule for anything else:
permit ip any any log rule-precedence 10


Then, in the WLAN profile, enter:
use ip-access-list in "Name of Rule created to block"

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
mario123na
New Contributor

ā€Ž02-08-2019 05:07 PM

Thanks, yes, When I saw your answer, I look my configuration and this part is wrong, deny tcp 192.168.1.0/24 eq 80, I bad use the port to exit, since it was to place all the output ports,
finally the rule was as you mention, It is work now
0 Kudos

Go to solution
ckelly
Extreme Employee

ā€Ž02-08-2019 04:48 PM

Mario, the IP ACL should look like this:
(Looking at what you have and what I'm stating, it appears that your setup SHOULD be working)

If your RFS4000 is 10.10.1.210 and you want to keep wireless users on the 192.168.1.0/24 network from access the controller, it would look like this:

(For HTTPS - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq https log rule-precedence 1 rule-description Block HTTPS wireless access to RFS4000

(For HTTP - TCP)
deny tcp 192.168.1.0/24 host 10.10.1.210 eq http log rule-precedence 2 rule-description Block HTTP wireless access to RFS4000

(Repeat for UDP access)

And then your allow rule for anything else:
permit ip any any log rule-precedence 10


Then, in the WLAN profile, enter:
use ip-access-list in "Name of Rule created to block"
0 Kudos

Go to solution
mario123na
New Contributor

ā€Ž02-08-2019 04:19 PM

Sorry my last command is bad this is my really command

rfs4000-FB845F(config-wlan-fabril-wiffi)#use ip-access-list in DenyAcces_in
0 Kudos
GTM-P2G8KFN