Reply
Highlighted
New Member
Posts: 17
Registered: ‎09-07-2017
Kudos: 3
Solutions: 1
Accepted Solution

Guest In Firewall Rules - do they only apply if a USG is in the same site?

I have one controller with mutliple sites.

 

 

I have one site with a USG + several AP's and I can see in the Guest In rules "Allow DNS packets to external name servers" etc.

 

At another site, I don't have a USG but I do have several AP's. There are no Guest In rules here.

 

There is a Guest network set up at both.

 

Is this expected behavior? I was hoping to add a firewall exception in "Guest In" to allow access to one specific internal server that would normally be excluded by Post-Auth restrictions.

 

Any help appreciated.


Accepted Solutions
SuperUser
Posts: 8,169
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Guest In Firewall Rules - do they only apply if a USG is in the same site?

Guest Policy, on APs 'only' network, allows DNS and DHCP packets, and denies the access to the whole private address space, if you want that an address being reachable from within your 'Guest' network, you have to declare that ip address, with a /32 mask, in 'Pre-Authorization access'. That ip address will be reachable even by unauthenticared hosts.
You can take a look by connecting to one AP via SSH, and issue
ebtables -t nat -L
Cheers,
jonatha

View solution in original post


All Replies
SuperUser
Posts: 8,169
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Guest In Firewall Rules - do they only apply if a USG is in the same site?

Guest Policy, on APs 'only' network, allows DNS and DHCP packets, and denies the access to the whole private address space, if you want that an address being reachable from within your 'Guest' network, you have to declare that ip address, with a /32 mask, in 'Pre-Authorization access'. That ip address will be reachable even by unauthenticared hosts.
You can take a look by connecting to one AP via SSH, and issue
ebtables -t nat -L
Cheers,
jonatha

Reply