Unable to configure ACL to deny access to main VLAN yet maintain internet access

The E500's are connected to a default gateway 192.168.1.1, the Base E500 and E500 Mesh units aquire their IP from the default gateway on VLAN1  WLAN1 for the mesh units.  Gateway-->DHCP-->E500--VLAN1-->WLAN2-->Mesh

I have created  a VLAN2 for WLAN2 with DHCP for client access.  E500-->VLAN2-->DHCP-->WLAN2--Clients

I do not want the clients on the VLAN2 network 10.10.10.0/255.255.255.0 to be able to connect, ping or see any devices on VLAN1 in the 192.168.1.0\255.255.255.0 network.

Issue:

Once I implement ACL rules attached below, I lose internet access and I get assigned a 169.254.129.x IP address rather than a 10.10.10.x when I to connect to the WLAN2 SSID.  

What am I missing or not understanding about the ACL?  I'd really appreciate the assitance.

• E500_ACL.PNG (53.8 KB)
• vlan1.PNG (91.5 KB)
• vlan2.PNG (71 KB)
• dhcp.PNG (61.1 KB)
• IPConfig_169.png (17.3 KB)

Hi,

Can you share MESH BASE and MESH Client configuration files?

If i am correct WLAN 2 profile is configured on MESH Client AP?

You can send to my mail id channareddy.ireddy@cambiumnetworks.com

With Regards,

Channareddy

We replicated your setup and found working, The MESH Base AP and MESH client AP configurations are shared (please refer to attached ZIP file).

The setup is like this,

Backend Network ------E400 MESH Base  --------- E500 MESH Client  ---- WLAN 2 -VLAN 2-------- WLAN clients 

VLAN 1 Network: 10.110.72.0/24 

VLAN 1 Default Gateway: 10.110.72.254

MESH Base E400 AP:      VLAN 1 IP:       10.110.72.32 (through dhcp client)

MESH Client E500 AP:     VLAN 1 IP:      10.110.72.33 (through dhcp client)

DHCP Server running on MESH Client AP E500 on VLAN 2 Network: 10.10.10.0/24

MESH Client AP E500 VLAN 2 IP: 10.10.10.10/24 

1. MESH Profile is mapped to VLAN 1 on both the APs 

2. MESH Client E500 AP gets IP address from DHCP server running behind on MESH Base AP E400

3. On MESH Client AP E500

     3.1 WLAN 2 is mapped to VLAN 2

     3.2 DHCP Server is configured on VLAB 2 to serve IP address for WLAN 2 clients 

     3.3 WLAN 2 is configured with IP ACL to pervent WLAN clients to access back end entwork connected to  

           MESH Base AP but allow internet access

     3.4 The ACL rule looks like

        acl deny ip 1 10.10.10.0/255.255.255.0 10.110.72.0/255.255.255.0 in

        acl permit ip 255 any any any

Note: in you case ACL rules shall be like this 

        acl deny ip 1 10.10.10.0/255.255.255.0 192.168.1.0/255.255.255.0 in   (deny MU to access network

                                                                                                                          behind MESH Base AP)

        acl permit ip 255 any any any

• ACL-QUERY-CNFG.zip (1.04 MB)

Channareddy,

Thank you I switched my ACL as you suggested and it works now.

precedence 1 Deny in 10.10.10.0/255.255.255.0   192.168.1.0/255.255.255.0

precedence 255 permit any any any

I will be using 5 E500's, 1 mesh base and 4 mesh clients.  All five devices will be used as access points for clients in 2.4 WLAN 2. 

Other than the Mesh Base WLAN1 setting, all units will be setup the same.

All five will have:

10.10.10.10 Static IP on VLAN2

DHCP Pool range 10.10.10.100 -10.10.10.220

WLAN2 will all have the same SSID on VLAN2

Hoefully I will not run into any roaming issues from AP to AP if each AP have the same identical DHCP pool and Static IP on VLAN2.

Thanks

Hi,

It will work, let us know if you get into any roaming related issues?

With Regards,

Channareddy