I have a customer requesting to use the AP7131's firewall in an uncommon way, and I need some input on how to accomplish the configuration they are requesting. Objective: Use the WAN port on the 7131 to provide firewalled connectivity for a legacy Frequency Hopping access point to the LAN. This is an effort to continue supporting the FH device application they require while obtaining PCI compliance by firewalling access of this device from the CDE. They wish to use the firewall capbilities and additional port of the 7131 to do this to minimize additional hardware needing to be deployed to their 100+ locations. The trouble I'm seeing is that firewall rules appear to only be enforceable FROM the LAN1 or LAN2 interface TO the WAN, LAN1, or LAN2 interfaces. I want to connect their FH access point to the WAN port, and apply ACLs (IP Filters) from the WAN interface to the LAN1 interface. How might I configure routing and firewall on the 7131 to achieve this configuration? Is this possible? Thank you!
AP7131 Firewall - unique config requirement// Expert user has replied. |
2 Replies
Do you want to use the firewall, IP filter or both? Firewall has predefined Configurable Filters and also predefined rules (on Subnet Access). There is also an Advanced Subnet Access which "looks" like an ACL but is rather like IPTables. On the other hand, IP Filter is actually ACL: As in help, " The allow/deny mechanism used by IP filtering makes it similar to an access control list (ACL)". Please correct me if I am wrong, but is the purpose of firewalling protecting LAN network from hackers using FH cards so they can associate to FH APs? In this case, yes, set all of the FH APs on a VLAN which connects to WAN port, connect LAN to protected subnet and apply Firewall rules (i.e, allow everything but telnet) from WAN to LAN. This should work.
If I understand your customers requirements properly, the FH network/devices are going to be located off of the WAN port? On the AP-7131 with the firewall enabled, by default we will block all traffic originating from the WAN network. To allow only specific traffic originating from the WAN side, you need to configure Port Forwarding. Subnet access rules only apply when the traffic is originating from one of the LAN subnets. Once traffic has been allowed in one direction, a flow is established and bi-directional traffic will be able to pass.