Not sure if this should be in Firewall but I'll give it a go. Have a wireless network controller which has the option of wireless client isolation on the SSIDs. So for example if you set up a guest SSID and don't want people connected to that to be able to talk to each other or anything else on the LAN you turn WCI on.
WCI also has an ACL list of subnets which you can allow or deny. In the ACL there is the following rule to cover this common public IP range:
172.16.0.0/12 - Deny
Users are trying to access a website on a private IP (outside of the LAN) at 172.30.177.86, which is being blocked by the ACL, when I change the above 172.16.0.0/12 rule to allow it then works.
Not being an expert in subnetting myself I asked for help from the wireless support company, this has been going on for about 3 weeks now without a proper resolution. They told me to add the following rule to the top of the ACL:
172.30.177.86/32 - Allow
I did that but it still didn't work. Being that about the only thing about subnets that I understand is /24, I changed the allow rule to 172.30.177.86/24 and hey presto it started to work (with the lower 172.16.0.0/12 deny rule still in place). I have three questions on this:
1. Does the host 172.30.177.86 actually exist in the range 172.16.0.0/12? I've looked at a few online subnet calculators but haven't seen how I can go about working this out.
2. If the LAN is not on a 172.x.x.x range, is there any point in me keeping the deny rule in the ACL? Can I just remove it to avoid further future problems? It's just there to block common IP ranges that get used on LANs right?
3. Why did the support company tell me to allow 172.30.177.86/32? Were they trying to achieve the same thing as I eventually did by using /24 but with more security or something? Or did they just get it wrong?
Thanks!
