Wireless Access

Hi,

I have a question regarding the deny inter user traffic option in the Stateful firewall or the advacned VAP profile settings.

 

So basically we have enabled this for both our client and guest VAPs.

 

However with the Windows Update Delivery Optimization now in force in our workplace we have found this actually blocks the updates from sharing between clients.  I wanted to know what t his checkbox actually enables?

Is it just a straight forward ACL saying anything from this subnet to the same subnet deny? or is there more to it than that? If it is that then it would be safe for me to uncheck the deny inter user traffic box and put my own ACL in for this but above it allow the port that the Windows Update Delivery Optimization uses?

 

Thanks

The global firewall option denies traffic between untrusted users by disallowing layer-2 and layer-3 traffic. This parameter does not depend on the deny-inter-user-bridging parameter being enabled or disabled.

 

At the VAP level this deny traffic between the clients using the virtual AP profile.

 

If the global setting to deny inter-user traffic is enabled, all inter-user traffic between clients will be denied, regardless of the settings configured in the virtual AP profiles.

 

If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual AP, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked. 

It is applied at the VAP profile however it was still blocking users from sharing the Windows Updates with each other over port 7680 TCP & UDP

How do we make this a trusted connection so it is allowed ?

Thanks

Scott McMullan | Senior Systems Engineer | Kainos | DD: +44 (0)28 9057 1517 | s.mcmullan@kainos.com

Have you tried creating an explicit ACL to allow it whilst keeping the deny inter user traffic checked?

 

eg. user network 192.168.1.0 255.255.0.0 tcp/udp 7680 permit

Yeah I tried this however it was still being blocked – then I unchecked the deny inter user traffic box from the VAP profile and traffic passed successfully

Scott McMullan | Senior Systems Engineer | Kainos | DD: +44 (0)28 9057 1517 | s.mcmullan@kainos.com

Sure, it will do. I believe its a case of inter user traffic is allowed or
not depending on the option. If not you will need to configure ACL's to
deny/permit the traffic you require.

That is what i am trying to figure out what it is depending on ?

So the deny inter user traffic do you know if it is just a straight up deny for all traffic on one subnet to the same subnet?

 

I am worried about doing damage creating an ACL to restrict traffic from client subnet to the same subnet that it will break something.

So the deny inter user traffic do you know if it is just a straight up deny for all traffic on one subnet to the same subnet?

Yes, it is exactly this for all L2 and L3 traffic

So by putting in a rule that says 

Source - Client subnet
Destination - Client subnet

Action – Deny

 

Would effectively do the same thing as the deny inter user traffic enabled at VAP level?

 

Then above this i could put the rule

 

Source - Client subnet
Destination - Client subnet

Port - tcp/udp 7680

Action - Permit

Use the format I previously specified. So, "user" to subnet. The ACL's work from top to bottom, so your ACL would permit the traffic at the top then deny everything else else below.