I have a multi-BSSID WAP (EAP600) that allows mapping of BSSIDs to VLANs.
This WAP is connected to a VLAN capable Cisco switch (SG200), which is trunked into a UTM 9 Essential firewall running in an ESXi 5.5 VM.
There are 2 VLANs - Production 10 and Guest 20. Each VLAN has its' own subnet, DHCP server and firewall rules in the UTM.
Connecting to the various radios on the WAP works, an IP is assigned and I get internet (web and email) access - all as planned.
Starting to tighten things up - I don't want any access from VLAN_20 (Guest) to VLAN_10 (Production), so the next rule implemented is ->
Source Service Destination Action
VLAN_20 Network Any VLAN_10 Network Drop
This appears to work except VLAN 20 can access Webadmin on VLAN_10.
So I modify the rule to include the Destination VLAN_10 Address.
VLAN_20 can still access Webadmin on VLAN_10.
The VLAN_20 subnet is not in the list of allowed webadmin subnets.
Any suggestions on how to fix this ?
Thanks,
Mike
