Hi,
I have a BSC-600. firmware V6.5.1.03. 2 APs
Managed NW Ip = 192.168.200.x
Protected NW IP = 10.x.x.x
Connection to Internet in Managed Port 1
Connection to AP1 in Managed Port2
Connection to AP2 in Managed Port3
Connection to LAN in Protected Port
my question is this, I only use this appliance for guest users to our company. so when a device logs in via the web login they can only access the managed side (internet).
When I login my device (iphone) to the appliance, I can ping and access the protected side of the network. Is this right? how can I stop this as I only want them to access the managed side?
Thanks for any assistance.
With the BSC, the managed interface is the ingress and the protected interface is the egress. The internet should be on the protected side while the clients reside on the managed side. It sounds like whatever network you have the managed plugged into, the protected should be plugged into instead.
Ok,
But when I look at the GUI it says
Protected - the BSC to communicate with the protected (i.e., wired) side of your network. ( I would assume LAN)
Managed - the BSC to communicate with the managed (i.e., wireless) side of your network.
So you are saying Ive got these two mixed up....
That is correct. The protected is typically plugged into your existing wired network and clients reside on the managed side of the BSC. Traffic flows in the managed and out the protected. By default the BSC will NAT the managed network IP addresses to the protected IP address. Traffic must flow through the BSC in order for it to enforce firewall policies, provide bandwidth management, etc. Guest traffic could flow in the managed, out the protected, over your existing wired network, and out to the internet and you could leverage the BSC's stateful firewall to prevent guests from accessing everything but the internet. In that case your existing wired network should reside on the protected. Instead of guest traffic flowing over your existing wired network, you could also have a dedicated internet connection just for guest access where guest traffic would flow in the managed, out the protected, and out to the internet. Again the internet should reside on the protected. So you said you had:
1. Connection to Internet in Managed Port 1
2. Connection to AP1 in Managed Port2
3. Connection to AP2 in Managed Port3
4. Connection to LAN in Protected Port
1 is incorrect as the internet should reside on the protected side of the BSC. 2 and 3 are correct. 4 could be correct if you wanted traffic to flow in the managed, out the protected, over your existing LAN, and out to the internet. If you didn't want traffic to flow over your existing LAN but instead in the managed, out the protected, then out a dedicated internet connection, then the internet should be on the protected instead.
Ok, I will change my config.
If I wished to be able to access the appliance from my LAN?
Thanks
BSC-600/1200s have a shared failover/admin port. If you are not using failover or loadsharing you could connect the admin port to your LAN so that you may access it from there. Another option if you are using failover/loadsharing is a protected side vlan. So the protected physical interface could go right out to the internet but the protected vlan could connect to your LAN for management. In that case the protected interfaces switchport would need to be configured as a trunk port where the protected physical vlan is set to the native vlan of the trunk and the protected "managment" vlan is allowed or tagged on the trunk.
Thanks for this.
I have it as you suggested now. I enabled the admin port (10.4.2.17) and plugged the LAn into the failover port. But now I am unable to accces the gui. I can ping the IP and it returns ok.
Ive also tried ssh to it as well.
Any ideas for I can at least access the gui again?
I would assume you tried to reboot the box? If you connect directly to a free managed interface with a laptop configured for DHCP it should get an IP address. Can you access it that way? I'm trying to determine if the web server is running. You could also connect to the serial console using a 9 pin serial null modem cable and a terminal emulation program (9600, 8, none, 1, none) and run the command to show running processes. The default serial console password is wg1000s. Could there be a duplicate IP out there?
Yes I can connect to the wireless login page but not the management side.
If you can ping it then you should be able to browse to https://ipaddress/admin.pl unless you are pinging a duplicate IP? Perhaps you could open a trouble ticket and the tech support team could help you troubleshoot further.
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily as well as award points to the users that helped you. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply