E600 ACL not working

I am trying to configure ACLs on a specific WLAN to only allow internet access, but cannot get it to work.

I have ports:

67,68 UDP set to PERMIT in both directions

53 UDP set to PERMIT in both directions

80 and 443 TCP set to PERMIT in both directions

With the above devices do not get a DHCP address. 

Any guidence on this would be great!

hi,

can you copy and past your wlan acl, we shall be able to help?

I have attached my current rules.

I assume I need to allowed what I want, then Deny everythnig else at the end?

Hi Andrew, 

             Please allow DNS packets in the rule. It should work. 

Regards

Anand

DNS is allowed I believe, UDP port 53.

Can you ping some public IP, e.g. 4.2.2.2? If no, what tracert says?

Client does not get an IP so cannot do ping or tracert.

I have deleted all entries now only leaving the DHCP ones. Client does not get an IP still though.

If I connect to another WLAN with no ACL then I get IP so know it is not a server issue.

Hi Andrew, 

       Can you please rearrange the rule same as attached screenshot and give it a try. 

Regards

Anand 

I have tried the ACLs as per your picture but still no joy.

Obviously, if I change the last rule to Permit then it does work, but everythnig is allowed.

Andrew

Hi Andrew, 

         Can you share your AP techsupport to the email id anv100@cambiumnetworks.com .I'll have a look

Regards
Anand 

I have invited you.

Thanks

Andrew

Hi Andrew, 

            I checked your configuration and exported Visitors WLAN to my cnMaestro account and tried. I'm able to get IP address for my clients. My setup is similar to yours, DHCP server is sitting in the upstream of the AP. Did a packet capture on the WLAN and eth 1 to verify that the DHCP discover packets are exiting the interface. 

sharing the command below 

E425-6EDEA1(config)# packet-capture wlan 1 udp

    1   00:00:00.000000 18:db:f2:23:9f:32 > 01:00:5e:7f:ff:fa, IPv4, length 179: (tos 0x0, ttl 4, id 35287, offset 0, flags [none], proto UDP (17), length 165)
    10.110.200.18.55355 > 239.255.255.250.1900: [udp sum ok] UDP, length 137
    2   00:00:00.208533 e4:a7:a0:d4:31:c2 > ff:ff:ff:ff:ff:ff, 802.1Q, length 373: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 40453, offset 0, flags [none], proto UDP (17), length 355)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 327
    3   00:00:00.208577 e4:a7:a0:d4:31:c2 > ff:ff:ff:ff:ff:ff, IPv4, length 369: (tos 0x0, ttl 128, id 40453, offset 0, flags [none], proto UDP (17), length 355)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 327
    4   00:00:00.211140 f8:0b:cb:98:a5:51 > e4:a7:a0:d4:31:c2, IPv4, length 377: (tos 0x0, ttl 255, id 63357, offset 0, flags [none], proto UDP (17), length 363)
    10.110.200.1.67 > 10.110.200.48.68: [udp sum ok] UDP, length 335
    5   00:00:00.248558 e4:a7:a0:d4:31:c2 > f8:0b:cb:98:a5:51, 802.1Q, length 87: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 14648, offset 0, flags [none], proto UDP (17), length 69) 
 

E425-6EDEA1(config)# packet-capture eth 1 udp
 <SNIP>
   39   00:00:03.538336 18:db:f2:23:9f:32 > ff:ff:ff:ff:ff:ff, IPv4, length 92: (tos 0x0, ttl 128, id 30357, offset 0, flags [none], proto UDP (17), length 78)
    10.110.200.18.137 > 10.110.200.63.137: [udp sum ok] UDP, length 50
   40   00:00:03.553833 18:db:f2:23:9f:32 > ff:ff:ff:ff:ff:ff, IPv4, length 92: (tos 0x0, ttl 128, id 30358, offset 0, flags [none], proto UDP (17), length 78)
    10.110.200.18.137 > 10.110.200.63.137: [udp sum ok] UDP, length 50
   41   00:00:03.925263 e4:a7:a0:d4:31:c2 > ff:ff:ff:ff:ff:ff, IPv4, length 369: (tos 0x0, ttl 128, id 40454, offset 0, flags [none], proto UDP (17), length 355)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 327
   42   00:00:03.925437 e4:a7:a0:d4:31:c2 > 33:33:00:01:00:02, IPv6, length 166: (flowlabel 0x8d9b1, hlim 1, next-header UDP (17) payload length: 112) fe80::41f4:690:c919:6440.546 > ff02::1:2.547: [udp sum ok] UDP, length 104
   43   00:00:03.928014 f8:0b:cb:98:a5:51 > e4:a7:a0:d4:31:c2, IPv4, length 377: (tos 0x0, ttl 255, id 63358, offset 0, flags [none], proto UDP (17), length 363)
    10.110.200.1.67 > 10.110.200.48.68: [udp sum ok] UDP, length 335
   44   00:00:03.938358 e4:a7:a0:d4:31:c2 > f8:0b:cb:98:a5:51, IPv4, length 79: (tos 0x0, ttl 128, id 14685, offset 0, flags [none], proto UDP (17), length 65)
    10.110.200.48.50077 > 10.110.12.110.53: [udp sum ok] UDP, length 37 
 
Regards
Anand 

Unfortunately this still is not working.

I am away so cannot check the logs yet.

Did you import my config into the cloud cnMaestro? What AP firmware do you use?

Hi Andrew, 

      I imported the visitors WLAN to my on-premise cnMaestro. AP version is same 4.0-r17.

Regards

Anand

Hi.

These are my outputs from the packet capture:

E410-3870E2(config)# packet-capture wlan 4 udp dst port 67
    1   00:00:00.000000 bc:3b:af:c3:c6:07 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 255, id 55308, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 300
    2   00:00:00.018547 bc:3b:af:c3:c6:07 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 255, id 55309, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 300
    3   00:00:01.194286 bc:3b:af:c3:c6:07 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 255, id 55310, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 300
    4   00:00:04.013535 bc:3b:af:c3:c6:07 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 255, id 55311, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 300
    5   00:00:08.435882 bc:3b:af:c3:c6:07 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 255, id 55312, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 300
    6   00:00:09.448309 bc:3b:af:c3:c6:07 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 255, id 55313, offset 0, flags [none], proto UDP (17), length 328)

E410-3870E2(config)# packet-capture eth 1 udp dst port 67
    1   00:00:00.000000 c0:56:e3:29:56:5f > ff:ff:ff:ff:ff:ff, IPv4, length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 548
    2   00:00:00.137338 bc:3b:af:c3:c6:07 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 255, id 55314, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 300
    3   00:00:00.177988 bc:3b:af:c3:c6:07 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 255, id 55315, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length 300

E410-3870E2(config)# packet-capture eth 1 udp dst port 68
    2   00:00:08.537631 00:15:5d:01:38:01 > ff:ff:ff:ff:ff:ff, IPv4, length 344: (tos 0x0, ttl 128, id 9156, offset 0, flags [none], proto UDP (17), length 330)
    192.168.1.5.67 > 255.255.255.255.68: [udp sum ok] UDP, length 302
    3   00:00:09.544205 00:15:5d:01:38:01 > ff:ff:ff:ff:ff:ff, IPv4, length 344: (tos 0x0, ttl 128, id 9157, offset 0, flags [none], proto UDP (17), length 330)
    192.168.1.5.67 > 255.255.255.255.68: [udp sum ok] UDP, length 302

E410-3870E2(config)# packet-capture wlan 4 udp dst port 68
    1   00:00:00.000000 00:15:5d:01:38:02 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 128, id 30987, offset 0, flags [none], proto UDP (17), length 328)
    192.168.1.5.67 > 255.255.255.255.68: [udp sum ok] UDP, length 300

It appears to be passing all the correct ports but never passes the correct IP address to the device.

Hi Andrew,

E410-3870E2(config)# packet-capture wlan 4 udp dst port 68
    1 00:00:00.000000 00:15:5d:01:38:02 > ff:ff:ff:ff:ff:ff, IPv4, length 342: (tos 0x0, ttl 128, id 30987, offset 0, flags [none], proto UDP (17), length 328)
    192.168.1.5.67 > 255.255.255.255.68: [udp sum ok] UDP, length 300

From the capture its clear that AP is bridging the DHCP offer to the client. Seems like client is not accepting the IP address. But, from your earlier post, you’ve mentioned that if ACL is removed, client gets IP address. Can you please share the Make and Model of the client.

Regards
Anand

Hi.

I am using my Surface Laptop but have also tried multiple devices including iOS devices and Android.

Thanks

Hi Andrew,
I’ve changed the Unicast DHCP option in your cloud account. Please try again. If you still face the issue,I would suggest to raise a support ticket. They will contact you for live troubleshooting.

Regards
Anand