cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
372
Views
0
Helpful
6
Replies
Highlighted
Beginner

PBR Blocks Wi-Fi Controller Guest Portal

I've applied PBR on my core switch (3850) on the Guest VLAN which routes Guest traffic to a different ISP rather than having it run on our production one, I need the Guest Users to authenticate on the UniFi-Controller which resides on the production network, which was what I was trying to block. I used the following config to create the PBR

 

Standard IP access list 7
10 permit 10.7.0.0, wildcard bits 0.0.255.255

 

route-map GUEST-POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): 7
Set clauses:
ip default next-hop 10.255.255.2

 

The UniFi-Controller IP is 10.1.2.213

 

Anything I can do to allow the Guest VLAN communicate with that one server?

6 REPLIES 6
Highlighted
VIP Mentor

Re: PBR Blocks Wi-Fi Controller Guest Portal

Hello

It seems you may have incorrect PBR stanza statement -

set ip default next-hop xx works ONLY when there ISN'T a valid route for the route table of the router if there is a valid route then normal routing take precedence so if this is the case then I suggest change that statement to show - set  ip next-hop xxxx 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

Re: PBR Blocks Wi-Fi Controller Guest Portal

I thought with the 'Default Next-hop" it would check the routing table first, and then do a next-hop. Maybe I misunderstood. 

 

I already did the change, but still blocks everything internally. 

Highlighted
VIP Mentor

Re: PBR Blocks Wi-Fi Controller Guest Portal

Hello,

 

what is the Unifi controller for ? RADIUS authentication ? In that case, you could have an extended access list for your route map that permits e.g. port 1812 (UDP and TCP), and another extended access list that allows everything else.

 

The RADIUS ports match on the first permit statement, but since there is no next-hop, the routing table is being used. The rest of the traffic will be processed by the second permit statement.

 

access-list 101 permit tcp 10.7.0.0 0.0.255.255 host 10.1.2.213 eq 1812
access-list 101 permit udp 10.7.0.0 0.0.255.255 host 10.1.2.213 eq 1812
!
access-list 102 permit ip 10.7.0.0 0.0.255.255 any

!

route-map GUEST-POLICY permit 10
match ip address 101
!
route-map GUEST-POLICY permit 20
match ip address 102
set ip next-hop 10.255.255.2

 

Highlighted
Beginner

Re: PBR Blocks Wi-Fi Controller Guest Portal

The UniFi controller will allow the wireless guests users to accept the Terms and conditions. It just needs the portal. 

Highlighted
VIP Mentor

Re: PBR Blocks Wi-Fi Controller Guest Portal

Hello

Leave the new PBR statement inplace for now but verify your routing and wifi environment -  is this 3850 a converged wlc?
Can you post in an attached file the running configuration of this 3850 along with any network topology diagram you may have.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
VIP Mentor

Re: PBR Blocks Wi-Fi Controller Guest Portal

Hello,

 

if you don't know what protocol and/or port on the portal needs to be accessed, just let the clients access the entire server:

 

access-list 101 permit ip 10.7.0.0 0.0.255.255 host 10.1.2.213
access-list 101 permit ip 10.7.0.0 0.0.255.255 host 10.1.2.213
!
access-list 102 permit ip 10.7.0.0 0.0.255.255 any

!

route-map GUEST-POLICY permit 10
match ip address 101
!
route-map GUEST-POLICY permit 20
match ip address 102
set ip next-hop 10.255.255.2