12-19-2013 01:36 AM - edited 12-19-2013 01:37 AM
i have an MSM720 WLAN Controller. Goal is two SSIDs. One for employees (VLAN 7) and one for guests (with HTML Authentication) (VLAN 8).
I configured the Controller with the "Configure initial controller settings". The "Access network" was set to the IP 10.160.6.2/24 and is untagged in VLAN 6 on the Core Switch Port. The "Internet network" was configuried with the IP 10.160.8.2/24 with Gateway 10.160.8.1 (Internet Router/Firewall). DNS was set to 22.214.171.124 and 126.96.36.199. The "Internet network"-Port (Port 5) was untagged in VLAN 8. All Access Points are untagged in VLAN 6 and tagged in VLAN 7 and get an IP per DHCP from my "Internet Router/Firewall".
After that, i created a new "Network profile" for VLAN 7 named "employees". Then i created with the wizard an new wireless network for employess. Setup SSID and ticked the "Network Profile" "employees" at the Point "Send traffic to:" to get this traffice into VLAN 7. Except wireless Security all Settings are default. This network works just fine. I get an IP per DHCP from my Internet Router/Firewall from VLAN 7 and can access the Internet.
After that, i created a second wireless network for guests with the known wizard. Named SSID "guests", configured "guest authentication" for local user Accounts on the controller and setup the controller to act as a DHCP Server with the Range (192.168.1.1 - 192.168.1.254 and Mask 255.255.255.0).
I tried the guest WLAN and all seems to work fine. I get an 192.168.1.x IP Address, get the Login Page and can access the Internet after successfull login. On my firewall Port for VLAN 8 i see just the "Internet network" IP 10.160.8.2 as Source IP.
The Problem now is, that i am able to ping the following IPs:
- 10.160.6.2 (Controller Access network IP)
- 10.160.8.2 (Controller Internet network IP)
- 10.160.8.1 (Internet Router/Firewall IP)
Much more "unfortunatelly" is, that i can access the Controller Management Site from guest WLAN if i type the controller IP in my browser.
I'am not sure, if first my setup is ok and second where my misstake is hidden.
Thank you for any tip or advice.
Solved! Go to Solution.
12-19-2013 12:04 PM
Just to verify, on the guest VSC, you have the "Always tunnel client traffic" enabled, correct?
By default, you WILL be able to ping the IP addresses of the network controller for both the Access Port and Internet Port, even from the guest network. This is NORMAL.
Even being able to ping the 10.160.8.1 is normal too. The bigger concern is, can you ping devices on the 10.160.6.x network or the 10.160.7.x network -- I'm guessing you can't -- when connected to the guest wireless.
Also remember, you CAN setup ACLs on the wireless controller too via the Public Access -> Attributes page. Here you can put in deny statements as necessary to prevent access to your internal network. However, since (from what I can tell by your description) the Internet port of your MSM is plugged Directly into your firewall (maybe on a DMZ interface?), you're probably more than good to go.
If you want to turn OFF the ability for guest users to get intot the MSM controllers web interface, that would be done from Management -> Management Tool, where you can DESELECT the interfaces of your choice!
Hope that helps.
Source One Technology, Inc.
12-19-2013 01:06 PM
thank you for your reply.
Yes, "Always tunnel client traffic" is for the guest wireless network enabled. For the "employees" Network not enabled.
I cannot ping devices from the other VLANs. I just can ping the controller IP 10.160.6.2. The Gateway in the VLAN 6 for example (10.160.6.1) is not pingable.
I tried to work with ACLs like described in a HP Guide and tried to deny access to private Networks (10.x.x.x). Unfortunatelly the guest wireless clients were still able to ping the IPs.
Yes. I just want to turn off management for my guest users. The ability to ping the controllers IPs is not really a problem for me or my customer.
Unfortunatelly I am not able to set the setting you advice right now. The device is at the customers site.
But do i unstand right, that i can DISABLE management for specific interfaces? So i can DESELECT the "Access network port" and "Internet network port" and use a third custom port/network for management which i place in my productiv Network?
Please give a short reply if i understand right.
Then i will try to change the setting.
12-19-2013 01:30 PM
Source One Technology, Inc.