Guest network firewall problem?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hi i have configured Guest network with same settings as your video demonstration and its working well, except the firewall.

Our guest network dhcp server is windows 2008 R2 server and it haves some fileshares. When our guest network client try to browse fileshare dhcp-server by ip, it cannot connect.
But when guest clients use dns-name of the dhcp server, then server asks for credentials and browsing suddenly works.

Our guest clients and dhcp + dns server (same server for both) are in 10.60.x network,
and the default internet-only guest firewall rule says permit for 10.x networks
Photo of Jarno Heinonen

Jarno Heinonen

  • 8 Posts
  • 1 Reply Like

Posted 5 years ago

  • 1
Photo of Jarno Heinonen

Jarno Heinonen

  • 8 Posts
  • 1 Reply Like
It seems that the problem is ipv6, is there any way to disable/deny ipv6 traffic from wlan clients?
Photo of Jeff Haydel

Jeff Haydel

  • 6 Posts
  • 4 Reply Likes
If you are referring to the help video #4 Aerohive Getting Started please note the comment that Paul makes at the 5:50 point concerning the Guest firewall being enabled if the Guest radio button is enabled.

If you are in Enterprise mode you can access the default Guest firewall via the steps in the picture above. (Someone else please chime in on how to find and manipulate it via Express mode.)

As you can see line 1 allows DHCP services to traverse the firewall and line 2 allows DNS but line 3 specifically prevents other services to traverse the firewall to get to your internal scope.

In order to resolve this you will want to CLONE the Guest firewall and add a rule above line 3 specifically allowing services to the IP address of your DHCP server.

An example of that is below:

Finally, again in Enterprise mode, you will want to edit your guest User-Profile to change the IP From firewall from the default Guest-Firewall to your new firewall. One last picture to illustrate that:

To answer your second question, I am not certain that Aerohive has a way to allow you to specifically stop or allow IPv6 traffic. Hopefully another Aerohive person can chime in on that topic and I will learn something as well!

I hope all of this helps!

Jeff H
Mid-South SE
Photo of Crowdie

Crowdie, Champ

  • 960 Posts
  • 269 Reply Likes
If you are running in Enterprise mode then it is also important to create a guest traffic filter that drops inter station traffic in the guest SSID. This stops a guest running a DHCP server on their wireless client and have all the other guests get a DHCP address, DNS settings, etc from that DHCP server.
Photo of Jarno Heinonen

Jarno Heinonen

  • 8 Posts
  • 1 Reply Like
Thank you Jeff, that is exactly how i have configured the guest network firewall settings.
Firewall works ok for ipv4, but if dhcp & dns or otherclient machines on same network haves ipv6 configured, firewall does let thru all ipv6 traffic.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2487 Posts
  • 449 Reply Likes
Yup, I have raised the lack of EtherType filtering, which would allow all IPv6 traffic to be blocked, and the lack of general IPv6 functionality before. I hope to see both implemented soon!