Wireless Networks Thread, Ruckus Guest Access in Technical; How come when connecting to the Wireless Guest SSID clients are getting a DHCP responce when the following rules are ...
6th February 2012, 11:09 AM #1
Ruckus Guest Access
How come when connecting to the Wireless Guest SSID clients are getting a DHCP responce when the following rules are set
Order Description Type Destination Address Application Protocol Destination Port
1 Deny 192.168.0.1/19 Any Any Any
2 Deny 10.0.0.0/8 Any Any Any
3 Deny 172.16.0.0/12 Any Any Any
4 Deny 192.168.0.0/16 Any Any Any
Create New Advanced Options
My DHCP server has an address of 192.168.2.1 so how come its being allowed to communicate with it when everything is set to Deny?
6th February 2012, 11:13 AM #2
Your subnetting is wrong?
6th February 2012, 11:14 AM #3
DHCP requests are not sent via IP, so rules preventing communication by IP can't be followed.
Bascially, DHCP commands are sent in a different network layer - layer 2, and those rules are layer 3 rules.
That'd be my theory anyway!
6th February 2012, 11:29 AM #4
DHCP is application layer, above IP. It uses 255.255.255.255 as a broadcast packet and as the client doesn't yet have an IP it cannot be blocked by a rule. Why would you want to stop people from getting IPs? It would be a lonely guest network!!
6th February 2012, 11:40 AM #5
Well i was just confused as DHCP is an option to Allow, so since all was set to block i was just woundering why it allows it through if there is an option for it.
6th February 2012, 11:59 AM #6
Is this on a CISCO device? I haven't done much in the way of ACLs for HP ones. On a CISCO device the DHCP DNS etc options are there for ease of reading of port numbers. If you wanted to disable DHCP completely on a subnet you would have to use the 0.0.0.0/0 DHCP option but it would be pretty useless for the most part.
What I would expect from your rule there is that once your clients have IP addresses that they would no longer be able to contact the DHCP server. Try this by pinging once the clients are up and running. That would prove that your rule is working as such.
Its an odd set up though, normally you would want to allow only access to your DHCP servers from a guest network and none of the others (if it was a super secure environment ) This would be so that when clients renegotiate their lease (half way through their lease time) they can do so. Otherwise when the lease time is up you will get clients being disconnected for a short period while they renegotiate a lease from scratch from your server.
Hope that makes some sense!!
By jamin100 in forum Wireless Networks
Last Post: 15th March 2012, 10:21 AM
By Maxell in forum Wireless Networks
Last Post: 2nd November 2011, 03:36 PM
By nicholab in forum Wireless Networks
Last Post: 9th October 2009, 10:27 AM
By steveo2000 in forum Wireless Networks
Last Post: 28th July 2009, 12:07 PM
By steveo2000 in forum Internet Related/Filtering/Firewall
Last Post: 19th March 2009, 07:41 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)