Lockdown OC200 Management Page when using Authentication Portal
My network setup (simplified) is as follows:
ER605 -> Switches -> OC200 & EAPs
All the devices are adopted by the OC200.
I've enabled Management VLAN for Switches and APs. This VLAN id isn't 1.
OC200 is left in VLAN 1.
In Wireless Networks I've setup the SSID to use another VLAN reserved for wireless clients.
In Network Security -> ACL I've setup a rule denying traffic from Client VLAN to Management VLAN.
This setup sort of works, since wireless clients can't see the switch/AP management pages.
I need portal authentication for WLANs, so clients should have access to the VLAN the OC200 is on.
The default port used for captive portal is 8088.
How do I make the wireless clients have access to this port, while blocking all other traffic like access to OC200's management webpage (assuming it's on 443 by default)?
I don't see any way to block traffic to specific ip/port in LAN->LAN direction ACLs.
There is a option in ACLs to block traffic to Gateway Management Page, but that means the router, and enabling that ACL breaks automatic detection of Captive Portals by wireless clients. I have to manually visit the OC200's IP address to bring up the captive portal authentication page.
I did try using the Network Security -> URL Filtering -> EAP Rules to block the "https://<OC200 IP>/<Long ID>/login" page, but that doesn't seem to do anything (doesn't even block www.google.com).
Edit: The Gateway Management Page issue is solved. I was denying all protocols previously. Denying just TCP fixes the issue - clients can't see the management page, but can detect the Captive Portal.
Note: The "block traffic to gateway" ACL should be above "block traffic to other VLANs" ACLs.
