Can't ping inter-station when Default action is Deny in IP Firewall Policy

  • 1
  • Question
  • Updated 3 years ago
Hi,

I have 2 laptops (A and B for the example)  connected to an AP121. I would like autorize ping between 2 laptops.
In Traffic filter, I enabled Ping and Inter-station Traffic.

In IP Firewall Policy, if the Default action is "Permit", the laptops can ping (A can ping B, B can ping A). If the Default action is "Deny", the laptops can't ping (A can't ping B, B can't ping A).
In the IP Firewall Policies, Network Service ICMP is Permit.

I don't understand why I have this problem...

Thanks
Photo of Olivier F

Olivier F

  • 4 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
How is your default traffic filter for the policy configured Oliver? This needs to be set to allow inter-station traffic.
(Edited)
Photo of Olivier F

Olivier F

  • 4 Posts
  • 0 Reply Likes
Thanks for your reply.
In the traffic filter, I enabled Ping and Inter-station Traffic.

Ping between clients works only if the default action is Permit in IP Firewall policy.
But if default action is Deny in IP Firewall policy, ping between clients doesn't work.

Thanks



Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Have you tried using Wireshark or Network Miner applications to monitor the packet attempt. I also have had similar issues with the explicit deny on Aerohive AP's so I can sympathise.
Photo of Olivier F

Olivier F

  • 4 Posts
  • 0 Reply Likes
I didn't try it for the moment. So I will try. Thanks
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Oliver, the traffic filter that you have set to enable ICMP, SSH And inter station traffic states above the check boxes that it "Controls the following types of traffic to Aerohive devices".  This always meant to me that this would enable wireless associated clients the ability to SSH, Ping, Telnet, etc. to the AP that they are directly connected to.  I never understood why there was an option to enable/disable Inter-station traffic.

From the help file,
  1. Choose either Permit or Deny from the Default Action drop-down list for traffic that does not match the IP addresses and services in the policies."
Which would tell me that if the traffic did not have a specific rule in the firewall policy that it would be allowed/denied based on that setting.  In your case, the top rule should apply to the ICMP traffic.  

How do things differ if you untick the allow inter station traffic or remove the traffic filter rule completely and modify the permit/deny option on the firewall policy?

Another way to test it would be to use the Application Service as opposed to the Network Service to select ICMP.  

I'd be curious to how it acts, if any different...
Photo of Olivier F

Olivier F

  • 4 Posts
  • 0 Reply Likes
Thanks for your reply.

I tried different things :
 - if I unstick "allow inter station traffic" : same problem
 - I can't remove completely traffic rule because there is always default traffic rule
 - if I permit ICMP with Application Service : same problem
 - If I change the firewall rules : I added, at the end of the firewall rules, a default rule which deny all and change default action to Permit : same problem

No change for the moment...