Wireless Controller
Dedicated Wi-Fi control and management for high density and mobility
nsamuel
Staff
Staff
Article Id 191373
Description

How to restrict all traffic for Guest vlan except HTTP and HTTPS


Scope

KB ARTICLE TYPE: Troubleshooting

RELATED PRODUCTS:  NA

RELATED SOFTWARE VERSIONS:  All versions

KEYWORDS: guest vlan, restrict


Solution

In order to block all the traffic except HTTP and HTTPS from your Guest vlan, following firewall rules needs to be created (assume the guest vlan as: 192.168.10/24):

1. To allow HTTP request from the Guest network to Internet (Destination port 80)

ID                          : 1
Id Class flow class         : on
Destination IP              : 0.0.0.0
Destination IP match        : none
Destination IP flow class   : none
Destination Netmask         : 0.0.0.0
Destination Port            : 80
Destination Port match      : on
Destination Port flow class : none
Source IP                   : 192.168.10.0
Source IP match             : on
Source IP flow class        : none
Source Netmask              : 255.255.255.0
Source Port                 : 0
Source Port match           : none
Source Port flow class      : none
Network Protocol            : 0
Network Protocol match      : none
Network Protocol flow class : none
Firewall Filter ID          :
Filter Id match             : none
Filter Id Flow Class        : none
Packet minimum length       : 0
Packet Length match         : none
Packet Length flow class    : none
Packet maximum length       : 0
QoS Protocol                : sip
Average Packet Rate         : 0
Action                      : forward
Token Bucket Rate           : 0
Priority                    : 0
Traffic Control             : off
DiffServ Codepoint          : disabled
Qos Rule Logging            : off
Qos Rule Logging Frequency  : 60

2. For replies coming from web servers to Guest vlan - Source port 80

  ID                          : 2
Id Class flow class         : on
Destination IP              : 192.168.10.0
Destination IP match        :on
Destination IP flow class   : none
Destination Netmask         : 255.255.255.0
Destination Port            : 0
Destination Port match      : none
Destination Port flow class : none
Source IP                   : 0.0.0.0
Source IP match             : none
Source IP flow class        : none
Source Netmask              : 0.0.0.0
Source Port                 : 80
Source Port match           : on
Source Port flow class      : none
Network Protocol            : 0
Network Protocol match      : none
Network Protocol flow class : none
Firewall Filter ID          :
Filter Id match             : none
Filter Id Flow Class        : none
Packet minimum length       : 0
Packet Length match         : none
Packet Length flow class    : none
Packet maximum length       : 0
QoS Protocol                : sip
Average Packet Rate         : 0
Action                      : forward
Token Bucket Rate           : 0
Priority                    : 0
Traffic Control             : off
DiffServ Codepoint          : disabled
Qos Rule Logging            : off
Qos Rule Logging Frequency  : 60

3. Similar rules for HTTPS (port 443) for both destination and source port with action as forward.

4. To block all other traffic, drop all the traffic with network protocol as 6 (TCP) originating from Guest vlan

ID                          : 3
Id Class flow class         : on
Destination IP              : 0.0.0.0
Destination IP match        : none
Destination IP flow class   : none
Destination Netmask         : 0.0.0.0
Destination Port            : 0
Destination Port match      : none
Destination Port flow class : none
Source IP                   : 192.168.10.0
Source IP match             : on
Source IP flow class        : none
Source Netmask              : 255.255.255.0
Source Port                 : 0
Source Port match           : none
Source Port flow class      : none
Network Protocol            : 6
Network Protocol match      : on
Network Protocol flow class : none
Firewall Filter ID          :
Filter Id match             : none
Filter Id Flow Class        : none
Packet minimum length       : 0
Packet Length match         : none
Packet Length flow class    : none
Packet maximum length       : 0
QoS Protocol                : sip
Average Packet Rate         : 0
Action                      : drop
Token Bucket Rate           : 0
Priority                    : 0
Traffic Control             : off
DiffServ Codepoint          : disabled
Qos Rule Logging            : off
Qos Rule Logging Frequency  : 60

5. You can also create similar rule to drop all UDP (protocol 17) traffic as well, if required.


Contributors