Isolating a Guest WLAN without VLANs or Tunneling

When creating a Guest WLAN, it is important to protect clients from each other.  It is even more important to isolate the Guest WLAN traffic from internal networks.  Two methods for handling this are via VLANs and via Tunneling.  But if neither of these are possible (due to switch limitations) or if they are not desirable, it is possible to use ACLs to isolate the Guest WLAN while still allowing access to the Internet.  

Configuring this within cnMaestro is fairly straight forward.  Within the Guest WLAN, configure an Access Control List.  Pay careful attention to the precence order set.  The screen shot below is an example of an ACL that provides this security.

In this example:

- The Guest WLAN subnet is 192.168.15.0/24

- The DNS server is 192.168.15.1

The first two entries allow DHCP responses into the Guest WLAN.  In most cases, DHCP uses UDP, but TCP is used by some systems.  As such, it is wise to include both in an ACL

The next two entries allow traffic between the Guest WLAN subnet and the DNS server.  If more than one DNS server is used, two entries need to be added for each one.

The next three entries deny traffic to private address subnets.  It is not necessary to add all three entries if the internal subnets to be protected are not using all of these address spaces, but it is a good practice to always include all three.  This will maintain protection if they are used at a later time.  If more than one subnet is used for Guest WLANs, these three entries should be replicated for each subnet used.  This does bring up a good point.  It is important when using ACLs to isolate Guest traffic from internal traffic to define a separate Guest subnet.

The last entry allow all other TCP traffic to and from the Guest WLAN subnet.  Internet traffic is TCP-based.

There is an implicit deny for anything not specified within the Access Control List.  Anything not specified in the ACL will be denied.  It is very important to pay attention to the precedence order as decisions as to whether traffic is permitted or denied are made in order.  If a packet is allowed in precedence 2, but denied in precedence 3, that packet will be allowed.  If the order is reversed, it will be denied.  The first line that matches the packet is the one that defines what is done with it.

The attached file provides screen shots for configuring a Guest WLAN, to include using the Guest Portal in cnMaestro.

5 Likes

If you want to learn more about cnPilot, attend one of our cnPilot: Wi-Fi Access Installation and Administration Certification Training classes.