https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413900#M28771 <HTML><HEAD></HEAD><BODY><P>There really&nbsp; isn't one a sample nor best practices for this.</P><P></P><P>It all depends on what you are looking to do.&nbsp; </P><P></P><P>IMO, the guest network should only be blocked from reaching to the internal network.&nbsp; Other than that leave it open, but maybe QoS/AVC and mark them as lower priority so they can't utilize a lot of your interwebz bandwidth.</P><P></P><P></P><P>HTH, <BR />Steve <BR /> <BR />------------------------------------------------------------------------------------------------ <BR />Please remember to rate useful posts, and mark questions as answered</P></BODY></HTML> Tue, 07 Jan 2014 15:45:26 GMT Stephen Rodriguez 2014-01-07T15:45:26Z https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413899#M28770 <P>Good morning - </P><P></P><P>I am hoping to find a sample, guide, best practices, and practical example of a set of Internet firewall rules for wireless guest users. Common current services and applications for tablets (Skype, Apple services, etc) must work and I would also like to identify commonly blocked outbound ports for wireless guest users. The service should have a more open ruleset but still be secure. Even if I could find a good starting point. </P><P></P><P>Thanks! </P> Mon, 05 Jul 2021 06:54:24 GMT https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413899#M28770 John Capobianco 2021-07-05T06:54:24Z https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413900#M28771 <HTML><HEAD></HEAD><BODY><P>There really&nbsp; isn't one a sample nor best practices for this.</P><P></P><P>It all depends on what you are looking to do.&nbsp; </P><P></P><P>IMO, the guest network should only be blocked from reaching to the internal network.&nbsp; Other than that leave it open, but maybe QoS/AVC and mark them as lower priority so they can't utilize a lot of your interwebz bandwidth.</P><P></P><P></P><P>HTH, <BR />Steve <BR /> <BR />------------------------------------------------------------------------------------------------ <BR />Please remember to rate useful posts, and mark questions as answered</P></BODY></HTML> Tue, 07 Jan 2014 15:45:26 GMT https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413900#M28771 Stephen Rodriguez 2014-01-07T15:45:26Z https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413901#M28772 <HTML><HEAD></HEAD><BODY><P> Thank you for the reply. We are using the WLC to rate limit guest bandwidth and are approaching this to have a near-wide-open access to the internet on the guest network. Just trying to see if there are commonly blocked ports or blocked services applied or if we simply use Layer-7 aware / application aware services to block things like Torrents but allow Skype for example. </P></BODY></HTML> Tue, 07 Jan 2014 16:01:36 GMT https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413901#M28772 John Capobianco 2014-01-07T16:01:36Z https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413902#M28773 <HTML><HEAD></HEAD><BODY><P>I'd stick with Layer 7 aware services.&nbsp; That way you can drop or mark down bandwidth hogs, but still let the users get where they need to.</P><P></P><P>The problem with FW/ACL is you never know what a user is going to need.&nbsp; I had a customer years ago that had changed the ports her VPN used.&nbsp; If you didn't know what they were, they never would be able to connect.&nbsp; </P><P></P><P></P><P>HTH, <BR />Steve <BR /> <BR />------------------------------------------------------------------------------------------------ <BR />Please remember to rate useful posts, and mark questions as answered</P></BODY></HTML> Tue, 07 Jan 2014 16:23:15 GMT https://community.cisco.com/t5/wireless/guest-wireless-internet-firewall-rules/m-p/2413902#M28773 Stephen Rodriguez 2014-01-07T16:23:15Z