guest access block apple tv

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I have been setting up a trial AP and have set up 3 SSID's, 1 internal, 1 staff wifi and 1 guest wifi. We have a couple of Apple TV's on the staff wifi channel, but although we have set up the guest wifi as open with 'enable internet access only' ticked, guests can also see the AppleTV's. Is there something I'm missing to block access to the AppleTV's for guests?
Photo of LG Administrator

LG Administrator

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Can they actually connect to the AppleTVs or just see their advertisement? If it is the latter, is this causing you problems?

There are other options but the gold standard way to resolve this is to isolate the Layer 2 broadcast domains with VLANs and separate IP address ranges, routing between those ranges as necessary. Do your switches support this?

'Enable internet access only' is presumably still allowing multicast traffic.
(I'm assuming you have got the Bonjour Gateway functionality turned off at the moment.)

(Edited)
Photo of LG Administrator

LG Administrator

  • 4 Posts
  • 0 Reply Likes
The Apple TV's advertise and can be connected to, e.g. guest users can connect and bring up the on screen connection code remotely. 
The other AP's we're looking at are meraki and they have a 'wireless isolation' feature for guest use that creates a local dhcp network and only allows access to the Internet, all other areas on the network are blocked.  This is a real issue as we're looking to roll out wireless across the whole school and up till this, I was quite impressed with the Aerohive.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You can certainly apply a profile to guest connections that references firewall rules that will only allow access to the Internet. As you have said that guests can connect to the AppleTVs on the Internal network, the issue that you are having is an issue with your configuration alone and is not at all due a limitation of the APs.

You should check over your configuration to ensure that the expected profile is being applied to connections and that the firewall rules make sense.

The only point that I was trying to make before is that the best, gold standard way to achieve isolation between groups of clients is to use VLANs with a dedicated IP address range used per-VLAN.

VLANs are the industry standard way of fully isolating such groups of clients from each other.

A routed boundary that you control must then be traversed for clients to communicate outside of that client group.

You can either then filter at that routed boundary, or use user profiles with firewall rules based on source and destination IP address/range on the APs to securely control access.

If you cannot use VLANs because you do not have managed switches that support the feature, you can still use a user profile with firewall rules to only allow access to the Internet and not to an internal IP address bar any exceptions you may want.

Conceptually, it should not really be the concern of a bridging device (such as an AP or switch) to act as a router, DHCP server and perform NAT for guests.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Could you provide some screenshots of your configuration so that we can help you?
Photo of LG Administrator

LG Administrator

  • 4 Posts
  • 0 Reply Likes
These are the 3 pages that I think cover the SSID we're having issues with.

Thanks


Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Under the bonjour gateway you filter what vlans will participate in the bonjour process

this will remove the bg0 interface from AP


And you add only the services you want to allow

airplay and roap from Appletv vlan to user vlan

you can use radius attributes to dynamically assign Appletvs to a specific vlan

cheers
A