Why can't my clients get to the internet with a client isolation enabled WLAN?


When client isolation is enabled, the client is gets an IP address but is not able to get to the internet


Why can't my clients get to the internet with a client isolation enabled WLAN?

Customer Environment

Cloud 17.01. Client isolation (CI) enabled. MPLS enabled. Multiple firewalls.

Root Cause

Firewall is sending packets to AP and the AP's CI is blocking and dropping the firewall IP packets. AP w/ CI enabled WLAN will receive packets only from gateway/dns/dhcp.

Troubleshooting Steps

Packet capture:
From packet capture, AP was sending packet so gateway and receiving packets from firewall.




For client isolation, the gateway informs the AP of the dns/dhcp so that those addresses are allowed through the gateway in/out.  If client isolation is enabled in the cloud solution, there's no ACL option currently available in 17.01.  If packets are arriving to the AP other than gateway, then CI is applied and blocks any other IP addresses in the same subnet same VLAN as AP/gateway.
There could be instances where firewalls send the packets to the AP instead of the gateway.  If MPLS is enabled, then the packets could be coming from various different locations and the packets will be dropped as they're not coming back from gateway IP.

The current fix/work-around for this scenario is to add the IP/MAC in a whitelist from the AP ethernet interface to the WLAN.
From the AP CLI:
rkscli: set manual-whitelist wlan34 add 172.16.108.x c0:c0:c0:18:9e:42 1  {where 172.16.108.x IP and c0:c0:c0:18:9e:42 MAC is the firewall that we are letting through, and 1 is exception}

For cloud APs w/ 17.01 SW, Ruckus CS Engineers can access AP CLI.

Article Number:

June 07, 2021 10:56 PM (over 1 year ago)

Configuration, Installation, Security, Troubleshooting, Known Issues and Workarounds, Ruckus Cloud WiFi


This article is:
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.