Lockdown OC200 Management Page when using Authentication Portal

Lockdown OC200 Management Page when using Authentication Portal

Lockdown OC200 Management Page when using Authentication Portal
Lockdown OC200 Management Page when using Authentication Portal
2024-08-10 09:29:15 - last edited 2024-08-10 10:26:07
Model: OC200  
Hardware Version:
Firmware Version: 5.7.6

My network setup (simplified) is as follows:

ER605 -> Switches -> OC200 & EAPs

 

All the devices are adopted by the OC200.


I've enabled Management VLAN for Switches and APs. This VLAN id isn't 1.

OC200 is left in VLAN 1.

In Wireless Networks I've setup the SSID to use another VLAN reserved for wireless clients.

In Network Security -> ACL I've setup a rule denying traffic from Client VLAN to Management VLAN.

 

This setup sort of works, since wireless clients can't see the switch/AP management pages.

 

I need portal authentication for WLANs, so clients should have access to the VLAN the OC200 is on.

The default port used for captive portal is 8088.

How do I make the wireless clients have access to this port, while blocking all other traffic like access to OC200's management webpage (assuming it's on 443 by default)?

 

I don't see any way to block traffic to specific ip/port in LAN->LAN direction ACLs.

 

There is a option in ACLs to block traffic to Gateway Management Page, but that means the router, and enabling that ACL breaks automatic detection of Captive Portals by wireless clients. I have to manually visit the OC200's IP address to bring up the captive portal authentication page.

 

I did try using the Network Security -> URL Filtering -> EAP Rules to block the "https://<OC200 IP>/<Long ID>/login" page, but that doesn't seem to do anything (doesn't even block www.google.com).

 

Edit: The Gateway Management Page issue is solved. I was denying all protocols previously. Denying just TCP fixes the issue - clients can't see the management page, but can detect the Captive Portal.

Note: The "block traffic to gateway" ACL should be above "block traffic to other VLANs" ACLs.

  0      
  0      
#1
Options
1 Accepted Solution
Re:Lockdown OC200 Management Page when using Authentication Portal-Solution
2024-08-10 09:54:10 - last edited 2024-08-10 10:09:27

  @Inforbits 

 

since you cannot allow individual ports between vlans, I have done it this way.
first i close all ports between vlan
so have created a port nat in to the controller from public ip.
then I can reach the port via nat hairpinnig from all vlan.
then I have redirected the portal website to the public ip or a fqdn that I use. for example myportal,portal,net.
then portal users get access to the portal via nat hairpinnig/nat loopback.

 

 

 

Recommended Solution
  1  
  1  
#2
Options
7 Reply
Re:Lockdown OC200 Management Page when using Authentication Portal-Solution
2024-08-10 09:54:10 - last edited 2024-08-10 10:09:27

  @Inforbits 

 

since you cannot allow individual ports between vlans, I have done it this way.
first i close all ports between vlan
so have created a port nat in to the controller from public ip.
then I can reach the port via nat hairpinnig from all vlan.
then I have redirected the portal website to the public ip or a fqdn that I use. for example myportal,portal,net.
then portal users get access to the portal via nat hairpinnig/nat loopback.

 

 

 

Recommended Solution
  1  
  1  
#2
Options
Re:Lockdown OC200 Management Page when using Authentication Portal
2024-08-10 10:18:44

  @MR.S Thank you so much this is exactly what I was looking for.

 

I did it a bit differently tho - implemented a new rule in Transmission -> NAT with:

Source IP: Any

Interface: WAN

Source Port: 1-65535

Destination IP: <OC200's IP>

Destination Port: 8088

Protocol: All

  0  
  0  
#3
Options
Re:Lockdown OC200 Management Page when using Authentication Portal
2024-08-10 10:27:02

  @Inforbits 

 

Ok, my NAT looks like this

 

 

 

 

 

and the portal redirect look like that

 

  0  
  0  
#4
Options
Re:Lockdown OC200 Management Page when using Authentication Portal
2024-08-12 18:07:14

  @MR.S 

 

Hello I have a situation like this one but, now I followed you'r config, bad luck for me nothing's changed, I can't access my portal page

  0  
  0  
#5
Options
Re:Lockdown OC200 Management Page when using Authentication Portal
2024-08-12 18:47:24

  @MrAlab Yeah the NAT forwarding is a bit iffy at times (multiple posts on this).

 

I'm thinking a more reliable option would be to put OC200 in it's own separate VLAN with no other devices. Then use EAP ACLs to block OC200's management pages with IP-Port group blocks. The only other management page would the the router's which'll be blocked with a Gateway ACL.

 

Just a theory I haven't tested it on my setup yet.

  0  
  0  
#6
Options
Re:Lockdown OC200 Management Page when using Authentication Portal
2024-08-12 20:00:43 - last edited 2024-08-12 20:07:04

  @MrAlab 

 

if it doesn't work, it must be something with NAT loopback, I have an ER8411 and it works very well. I don't really have an answer to the problem you have, the only thing I have done is as you can see in the picture in the post above.

 

This seems more like a router problem than a controller problem then perhaps @Clive_A  have more info about NAT loopback on other router models and can help us a bit?

 

 

  0  
  0  
#7
Options
Re:Lockdown OC200 Management Page when using Authentication Portal
2024-08-13 08:09:36

  @Inforbits 

 

ok everyone,

 

I've tested a bit more with NAT loopback, I don't have an ER605 but I tested on an ER706W,
It looks like the ER706W does not work the same way as the ER8411.


Test on ER706W
When I do NAT to a device on the default LAN, I can reach it when I type public ip in my browser when I am connected to the default LAN with my computer, when I am connected computer to a VLAN, NAT loopback does not work.

 

On the ER8411, NAT loopback from all VLANs works.
Why it is so I do not know.

 

 

 

  0  
  0  
#8
Options