cancel
Showing results for 
Search instead for 
Did you mean: 

Need help with client isolation in unleashed mode

hpatel99
New Contributor III
In searching the forums for this particular issue I found many posts but the only one that seemed to describe my problem was this one.  

So I faithfully followed the steps suggested by Jo Vens, but other devices on the network are still visible, even if they are unreachable when pinged. 

Specifically the steps followed were:
1. Created whitelist - added router LAN port mac address and LAN gateway IP
2. Created L3 ACL list - allow DNS, DHCP, HTTP & HTTPS
3. In WLAN Advanced options:
    - on the Access Control tab select L3 ACL list previously created
    - on the Others tab, select both Isolation check boxes and select the whitelist previously created

Saved and re-started the access points.

As stated, I am able to get to the internet, and all but, other devices are still visible to applications like Fing on iOS. 

I would've thought that the steps above would essentially give each device a pipe only to the internet, with nothing else on the network visible. 

What am I missing? 
4 REPLIES 4

hpatel99
New Contributor III
After playing around with this a bit more, it seems that: 

enabling guest mode, here
Image_ images_messages_5f91c43e135b77e2479e06f7_419d64fbc24b0ca34807eac6769a9440_RackMultipart201803242311319ae-fb2a450b-0696-4123-89d7-c87337965d70-1230576129.png1521923973

disables the L3 ACL list selection here:
Image_ images_messages_5f91c43e135b77e2479e06f7_6ccd08b4bcf5a859add17a986e5bf7d6_RackMultipart201803245273114gn-9cbdb72a-1356-4aa7-86da-b9e9dcec410c-829066748.png1521924130

which in turn means that total isolation of clients is not possible (in guest mode)?
Image_ images_messages_5f91c43e135b77e2479e06f7_d7ce39f6328aa1b693a63bc29e8916bc_RackMultipart2018032476533t07r-70e0f9d8-da6f-44b9-9336-a564e5e03759-660890731.png1521924303

What am I missing?

paul_van_der_cr
Contributor
enable all isolation boxes, and create a WhiteList allowing access DNS, DHCP and Default Gateway, just check what a 'normal' client/device gets via DHCP, that should do the job, so just a Whitelist, no other ACL's

hpatel99
New Contributor III
Thanks for your reply!

What you suggested is actually what I had done first. Since my router provides the DHCP and DNS service to clients on the wifi network, I created a whitelist with the LAN IP address of the router and the mac address of the LAN port on the router. 

No ACL list was in effect. 

With both isolation check boxes selected, clients were able to get an IP address, and could not see any other devices on the network, but also could not get to the internet.

With just the first isolation checkbox selected, clients were able to get to the internet, but other devices on the AP were visible, though not reachable, at least when pinged. 
==========================

With the method (using the L3 ACL)  given by Jo Vens, clients are able to get to the internet even with both isolation checkboxes selected.  However, other devices/clients on the network are still visible. Also this method does not work when Usage Type is set to "Guest Access".
===========================

Thanks. 

HP.

    

hpatel99
New Contributor III
After looking through virtually every post on this forum that has anything to do with client isolation, I've still been unsuccessful in getting it working. 

My goal is for clients connected to the WLAN in Guest Access mode are able to get to the internet and just that. No other clients or devices on the same VLAN/Subnet are reachable or even visible. 

I'm still hoping that someone has cracked this nut and can share their experience and give me some pointers to what I'm missing. 

Or at the very least, Ruckus can acknowledge that total client isolation is not possible when a WLAN is in Guest Access mode, and update their documentation accordingly.