https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/Ruckus-Unleashed-Managing-Clients-on-Isolated-Networks/m-p/17860#M4731 if this is not enough you will be forced to do this all on the ICX switch Tue, 22 Jan 2019 12:34:23 GMT 1said_sanoussi 2019-01-22T12:34:23Z https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/Ruckus-Unleashed-Managing-Clients-on-Isolated-Networks/m-p/17858#M4729 I have a gateway router which connects to a Ruckus ICX switch (running the Router image), which in turn has two Ruckus Unleashed APs connected to it.<BR alt="" name="" rel="" target="" title="" type="" value="" /><BR alt="" name="" rel="" target="" title="" type="" value="" />I would like to configure a wireless network which cannot access devices on my LAN, but which CAN be reached and managed by a device on my LAN. These would be untrusted IoT devices that run services which need to be accessible, but which do not need to initiate connections to other systems.<BR alt="" name="" rel="" target="" title="" type="" value="" /><BR alt="" name="" rel="" target="" title="" type="" value="" />I'm thinking the Unleashed AP ACLs aren't granular enough for this type of configuration, and I'd instead need to configure a VLAN and implement a Firewall somewhere along the path.<BR alt="" name="" rel="" target="" title="" type="" value="" /><BR alt="" name="" rel="" target="" title="" type="" value="" />Is there a way to achieve this configuration with the equipment that's already in place?<BR alt="" name="" rel="" target="" title="" type="" value="" /><BR alt="" name="" rel="" target="" title="" type="" value="" />Thanks in advance! Tue, 22 Jan 2019 11:53:31 GMT https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/Ruckus-Unleashed-Managing-Clients-on-Isolated-Networks/m-p/17858#M4729 sean_wallace_i6 2019-01-22T11:53:31Z https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/Ruckus-Unleashed-Managing-Clients-on-Isolated-Networks/m-p/17859#M4730 <P alt="" name="" rel="" target="" title="" type="" value="">When Wireless Client Isolation is enabled on a WLAN, all communication between clients and other local devices is blocked at the Access Point.</P><P alt="" name="" rel="" target="" title="" type="" value="">To prevent clients from communicating with other nodes, the Access Point drops all ARP packets from stations on the WLAN where client isolation is enabled and which are destined to IP addresses that are not part of a per-WLAN white list.</P><P alt="" name="" rel="" target="" title="" type="" value="">You can create exceptions to client isolation (such as allowing access to a local printer, for example) by creating Client Isolation Whitelists.</P><P alt="" name="" rel="" target="" title="" type="" value="">To configure a Client Isolation Whitelist:</P><BR alt="" name="" rel="" target="" title="" type="" value="" /><OL alt="" name="" rel="" target="" title="" type="" value=""><LI alt="" name="" rel="" target="" title="" type="" value="">Go to&nbsp;WiFi Networks &gt; Advanced Options &gt; Others.</LI><LI alt="" name="" rel="" target="" title="" type="" value="">Select both check boxes under&nbsp;Wireless Client Isolation. (Isolate wireless clients from other clients on the same AP, and from all hosts on the same VLAN/subnet).</LI><LI alt="" name="" rel="" target="" title="" type="" value="">Click&nbsp;Create Whitelist.</LI><LI alt="" name="" rel="" target="" title="" type="" value="">Enter a&nbsp;Name&nbsp;and optionally a&nbsp;Description&nbsp;for the access policy.</LI><LI alt="" name="" rel="" target="" title="" type="" value="">In&nbsp;Rules, you can create multiple device-specific rules for each device to be white listed.<UL alt="" name="" rel="" target="" title="" type="" value=""><LI alt="" name="" rel="" target="" title="" type="" value="">Description: Description of the device.</LI><LI alt="" name="" rel="" target="" title="" type="" value="">MAC Address: Enter the MAC address of the device.</LI><LI alt="" name="" rel="" target="" title="" type="" value="">IPv4 Address: Enter the IP address of the device.</LI></UL></LI><LI alt="" name="" rel="" target="" title="" type="" value="">Click&nbsp;Save&nbsp;to save the rule you created.</LI><LI alt="" name="" rel="" target="" title="" type="" value="">To change the order in which rules are implemented, select the order from the drop-down menu in the Order column. You can also&nbsp;Edit&nbsp;or&nbsp;Clone&nbsp;rules from the&nbsp;Action&nbsp;column. To delete a rule, select the box next to the rule and click&nbsp;Delete.</LI><LI alt="" name="" rel="" target="" title="" type="" value="">Click&nbsp;OK&nbsp;to save the white list.</LI></OL><A alt="" href="https://docs.ruckuswireless.com/unleashed/200.2/t-ConfigClientIsolationWhitelist.html" name="" rel="nofollow" target="" title="" type="" value="">https://docs.ruckuswireless.com/unleashed/200.2/t-ConfigClientIsolationWhitelist.html</A><BR alt="" name="" rel="" target="" title="" type="" value="" /><BR alt="" name="" rel="" target="" title="" type="" value="" /><BR alt="" name="" rel="" target="" title="" type="" value="" /> Tue, 22 Jan 2019 12:33:31 GMT https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/Ruckus-Unleashed-Managing-Clients-on-Isolated-Networks/m-p/17859#M4730 1said_sanoussi 2019-01-22T12:33:31Z https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/Ruckus-Unleashed-Managing-Clients-on-Isolated-Networks/m-p/17860#M4731 if this is not enough you will be forced to do this all on the ICX switch Tue, 22 Jan 2019 12:34:23 GMT https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/Ruckus-Unleashed-Managing-Clients-on-Isolated-Networks/m-p/17860#M4731 1said_sanoussi 2019-01-22T12:34:23Z