Client isolation without private network filtering

Client isolation without private network filtering

Client isolation without private network filtering
Client isolation without private network filtering
3 weeks ago - last edited 3 weeks ago
Model: EAP660 HD  
Hardware Version: V1
Firmware Version:

Hello,

I recently deployed a custom captive portal implementation for our guest network of six Omada APs, unfortunately clients were unable to access the landing page running on a 10.x.x.x IP after connecting to the guest SSID. It seems when "Guest Network" is enabled on an SSID, the APs are also doing some kind of traffic filtering, as soon as I unchecked Guest Network, the portal started working again but obviously this means clients can also see each other. To get it working with Guest Mode enabled, I ended up hijacking a public IP and NATting client requests to it to the internal 10.x.x.x IP for authorization, which is obviously not ideal.

 

Is there a way to only have the client isolation portion of Guest Network take effect, or to customize what is being filtered? DNS and DHCP were getting through fine, but HTTP and HTTPS seem to be blocked.

  0      
  0      
#1
Options
1 Accepted Solution
Re:Client isolation without private network filtering-Solution
3 weeks ago - last edited 3 weeks ago

Hi  @TLnet 

 

This is because the portal authentication requires continuous interaction with the controller, while with the guest network enabled, they will be blocked by all private IP addresses. and the controller is also included.

 

Solution:

Create an Allow ACL, and put it on the top of the ACL list:

Source: the Guest SSID

Destination: The controller IP address.

Policy: Allow/Permit

 

Detailed steps, please refer to the following link:

How to allow guest network to access specific device on the main network by configuring EAP ACL?

Recommended Solution
  0  
  0  
#2
Options
2 Reply
Re:Client isolation without private network filtering-Solution
3 weeks ago - last edited 3 weeks ago

Hi  @TLnet 

 

This is because the portal authentication requires continuous interaction with the controller, while with the guest network enabled, they will be blocked by all private IP addresses. and the controller is also included.

 

Solution:

Create an Allow ACL, and put it on the top of the ACL list:

Source: the Guest SSID

Destination: The controller IP address.

Policy: Allow/Permit

 

Detailed steps, please refer to the following link:

How to allow guest network to access specific device on the main network by configuring EAP ACL?

Recommended Solution
  0  
  0  
#2
Options
Re:Client isolation without private network filtering
3 weeks ago

Thanks, this seems to work fine. I didn't expect the ACL to work without an Omada router but it indeed applies to the EAPs directly. It would still be nice if we could see the default rules somewhere, since at the very least DHCP and DNS doesn't seem to be blocked and having more control over this would be great.

  0  
  0  
#3
Options