CommScope RUCKUS Community Forums

jos_vens · ‎05-28-2014

Hi

I want to restrict clients to de Default Gateway by putting a checkbox to Client Isolation with whitelist (9.7), but it is not working like in version 9.6.
Problem is: what do I whitelist? If I whitelist the default gateway (only), I don't get an IP-address from DCHP, if I whitelist DHCP-server, I can access shares since it is also file server.
I tested it thoroughly. If I upgrade from 9.6 to 9.7, the radio button from 9.6 is changed to a whitelist named mpff without any rule (which is not possible to set manually).
Any help is appreciated to get the same feature as in 9.6

thanks
Jos Vens

ict_lyceum · ‎05-28-2014

We have the same problem.
That's why we don't upgrade yet.

Image_ images_messages_5f91c41a135b77e2479653c4_f550ff57bdd2e1fcf275c7321500f0d6_9.6isolation_inline-61e9e6fd-e732-47b6-9783-2785a706c450-628881101.jpg1401268829

Full client isolation is very important and we want it to work.

The manual does not give a very good explanation we think.
You can make whitelists but if we add our DHCP/DNS we also expose our shares (cause the machine is both Active Directory, DHCP, DNS AND FILESERVER)

How do we fix this?

rafael_van_den_ · ‎06-17-2014

All you need to do is create a Whitelist and then select both the Isolate wireless client traffic from other clients on the same AP and the Isolate wireless client traffic from all hosts on the same VLAN/subnet. But Before you do that you need to create a whilte list by going to Configure/ Access control. On the White list section go ahead and select create new and then name it. Once named in that field you will see another create new in that same window. Add the Devices name and the IP address of your DHCP POOL DG. Also you will need to add the MAC address of the network card on your router that the DHCP addresses are tunneling out of. Then select ok. Once that is done go back to the WLAN. Hit edit and select both of the above for the Full Client Isolation. On the drop down box select the Whitelist name that you just created and hit ok. What this does is create full Client Isolation for the Guests to not be able to talk to one another.

I Forgot one thing. You need to go to Configure and Guest Access. You will need to Allow your ZD to pass traffic to your Router. So in the Restricted Subnets. You will need to create a new one. Select it to be number 1 and allow it. In the field where it asks you to put in a IP address do the DG of your Guest DHCP Pool followed by a /32. This will only allow your ZD to talk to the Router.

You will need to do the following for each WLAN/Vlan and DHCP Pool. I tested this today and when I go to no FClientIsoloation I can ping other People on the network. When I enable it with the whitelist, I can no longer Ping client devices.

Hope this helps as I spent so many hours figuring it out. I am not sure why Ruckus made the change!

jos_vens · ‎06-18-2014

Hi Rafael

thanks for your deep testing. Tomorrow, we will try it out, but one thing can still be a problem: you say the router is dhcp.
Problem we have is: server = dhcp, not the router, so if we whitelist the dhcp-server, we give access to the server, and that's just what we want to avoid.

Could it be a solution to whitelist DHCP-server and to make an access control that allows DHCP-protocol?

I'm not sure, we will test it and let you know the solution!
Thanks again,
Jos Vens

andrew_mccartne · ‎06-19-2014

I am trying this using the Virtual mac and IP address of the Default Gateway (Firewall cluster) in the Whitelist and it does not work.
Internet access and DHCP all come through this interface.
Has anybody else had this problem?

CommScope RUCKUS Community Forums

Full Wireless Client Isolation