Guest-internet-Access-Only not working anymore on Hivemanager 6???

  • 1
  • Question
  • Updated 5 months ago
At a customer I used the Guest-internet-Access-Only rule for the guest network. But I'm able to use remote desktop and take over the server? If I ping to a ipv4 ip address I get no answer but If i use the hostname then I get answer with the ipv6 ip address.

So all the customers of Aerohive that use a guest network with Guest-internet-access-only and have ipv6 enabled have an unsafe network? How is this possible?

Regards
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Jonas,

It is a good question.

I agree that this is a limitation with the predefined ruleset.

Do you have a support case open over this?

I am happy to take it and progress this.

For our golden, long term support branch of HiveOS, we should, in my opinion, be looking to offer convenient blocking by EtherType. Our L7 firewall features also have the ability to identify IPv6 traffic so a rule can be added on this basis.

For our feature release branch with stronger IPv6 support, we should, in my opinion, be looking to offer a better set of default firewall rules.

If you are running up-to-date code in our feature release branch, you can already configure blocking via EtherType but this is a CLI only feature at this point.

Thanks,

Nick
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Update: The applicable CLI is present in our golden, long term support branch of HiveOS to block IPv6 on a per-user profile basis. I have not verified if it works as expected in this branch though.

user-profile <string> security deny {ipv4|ipv6}

I know that we had issues in HiveOS 6.6 in this area so its functionality would need to be verified in HiveOS 6.5r5. (It works in HiveOS 6.8, a current feature release branch for our Broadcom-based APs.)

Cheers,

Nick
(Edited)
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
I will try this. I'll keep you up to date.

Thanks for the support
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Hi Nick,

I have a support case open for this. I have asked the ticket number on the distributor. When I receive the ticket number I will give it to you.

Thanks a lot!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Jonas,

It is 00169077. I have taken the case.

Regards,

Nick
Photo of Kevin Barrett

Kevin Barrett

  • 4 Posts
  • 0 Reply Likes
Any update on this?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Kevin,

To block IPv6, please use via supplemental CLI:

user-profile <string> security deny ipv6 

Cheers,

Nick