Cloud STA can not get to internet when client isolation is enabled
Summary
When client isolation is enabled, the client is gets an IP address but is not able to get to the internetQuestion
Why can't my clients get to the internet with a client isolation enabled WLAN?Customer Environment
Cloud 17.01. Client isolation (CI) enabled. MPLS enabled. Multiple firewalls.Root Cause
Firewall is sending packets to AP and the AP's CI is blocking and dropping the firewall IP packets. AP w/ CI enabled WLAN will receive packets only from gateway/dns/dhcp.Troubleshooting Steps
Packet capture:From packet capture, AP was sending packet so gateway and receiving packets from firewall.
Workaround
N.A.Resolution
For client isolation, the gateway informs the AP of the dns/dhcp so that those addresses are allowed through the gateway in/out. If client isolation is enabled in the cloud solution, there's no ACL option currently available in 17.01. If packets are arriving to the AP other than gateway, then CI is applied and blocks any other IP addresses in the same subnet same VLAN as AP/gateway.There could be instances where firewalls send the packets to the AP instead of the gateway. If MPLS is enabled, then the packets could be coming from various different locations and the packets will be dropped as they're not coming back from gateway IP.
The current fix/work-around for this scenario is to add the IP/MAC in a whitelist from the AP ethernet interface to the WLAN.
From the AP CLI:
rkscli: set manual-whitelist wlan34 add 172.16.108.x c0:c0:c0:18:9e:42 1 {where 172.16.108.x IP and c0:c0:c0:18:9e:42 MAC is the firewall that we are letting through, and 1 is exception}
For cloud APs w/ 17.01 SW, Ruckus CS Engineers can access AP CLI.
Article Number:
000006355
Updated:
June 07, 2021 10:56 PM (over 3 years ago)
Tags:
Configuration, Installation, Security, Troubleshooting, Known Issues and Workarounds, Ruckus Cloud WiFi
Votes:
0
This article is:
helpful
not helpful