Problems with network access, probably misconfigured ip firewall policy

  • 1
  • Question
  • Updated 1 year ago
  • (Edited)
Hey guys,

we have an aerohive wifi infrastructur in one of our schools. There is one ssid for the students. Because the students have to use the internal proxy server for internet access, we have created an ip firewall policy with the following settings:

[X] From-Access: proxy_use_only (Rulename)
[  ] To-Access: <empty>
Default Action: Deny

The Rule "proxy_use_only" (firewall policy on APs) inherits some Google Play Services and Apple IOS Update rules which are set to permit and a rule that allows traffic from "any" to the internal proxy server on port tcp 8000. At the end of the policy is an "any - any - any - deny" rule. That works so far. The students can only surf the internet if the use the internal proxy server on port tcp 8000.
Now we have the problem, that there are also some Apple TVs in that same wifi-subnet. The students are allowed to access and manage these Apple TVs with their IPADs. With the actual firewall policy you can only see the Apple TVs connected to the same access point as your IPAD. If you move your IPAD to another AP, the connection to the Apple TV disappears. The Apple TVs have dynamic ip addresses from dhcp. Actually it is not possible to give them static ips because of internal organisation problems.
What I did now is to create a network object with the internal ip address range of the wifi ssid subnet and to add a rule that allows traffic from that subnet to that subnet again (for any port). Airplay seems to work now. What I do not understand is that pinging from one wifi-device to another wifi-device in the same subnet is not working. Can someone explain me why?
Additionally I want to know, if there is a better way to handle that scenario?

Photo of jennelu


  • 9 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1

Be the first to post a reply!