LogoLogo
Release NoteMicrositeWhite PapersCloud License
Cloud User Manual
Cloud User Manual
  • What is EnGenius Cloud?
  • Getting Started
    • Signing Up
    • Logging On
    • Registering Devices to Organization
    • Assigning Devices to Network
    • Device Setup
      • QIG
      • Troubleshooting ECW AP
        • LED Status
        • Default SSIDs
        • Login to Local Access Page
      • Label information
  • Working with Organization Trees
    • Organization
    • Hierarchy View
    • Network
  • Managing Devices
    • Managing Camera
      • Recording Playback and smart Motion Search
      • Configure and Check Camera Details
        • Camera AI settings
        • Region & Cross Lines
      • Video Walls
      • AI-Powered Search
    • Managing Gateway
      • Configure and Check Gateway Details
      • VPN Status
    • Managing Access Points
      • Diag Tools
      • Configure and Check AP Details
      • AirGuard
    • Managing Switches
      • Diag Tools
      • PoE scheduling
      • Getting Switch Analytics
      • PD/Auto-Cam Lifeguard
      • VLANs
      • Mirror
      • Link Aggregation
    • Managing PDU
      • Outlet Summary
      • Outlet Scheduling
      • Outlet AutoReboot
      • Alerts
      • Diag Tool
      • LCD Panel
    • Managing Clients
      • Client Timeline
    • Device Map Location
    • Floor Plans
    • Topology
  • Configuring Networks
    • Configuring Access Points
      • Configuring SSIDs
        • 802.11 Settings
        • Configuring Security
        • SmartCasting
        • Client IP Addressing
        • Dynamic VLAN Pooling
        • Advanced Settings
        • QoS
        • Captive Portal
        • LDAP server
        • Active Directory
        • Azure AD
        • Voucher Service
        • Configuring Splash Page
        • Access control
        • Clone SSID
        • Hotspot 2.0
        • Application Control
        • Layer 3 (L3) outbound firewall
        • Examples
      • Configuring Radio
      • Configuring Cloud RADIUS
      • Configuring MyPSK
      • Configuring VLAN
    • Configuring Switch
      • System & Protocols
      • Templates
    • Configuring Gateway
      • Configuring Interface
        • WAN
        • LAN
        • Static Route
        • Policy Route
      • Configuring Site to Site VPN
      • Configuring Client VPN
        • VPN settings for IOS
        • VPN settings for Mac OS
        • VPN settings for Android
        • VPN settings for Windows 10
      • Configure ESG VPN Users
      • Configuring Firewall
    • Configuring PDU
      • Template
    • Configuring Camera
      • Quality & Retention
    • Firmware Upgrade
    • General Settings
    • Client Access Control
  • Analytics
    • Device Events
    • System Events
    • Config Logs
  • MSP Portal
    • Dashboard
    • Teams
    • Inventory & License
    • Clone Org & Networks
  • Managing Organizations
    • Managing Device Inventory and License
    • Privacy
    • Backup & Restore
      • Configuration Template
  • Managing Team Members
    • Roles and Permissions
  • Notification & Alerts
    • Notification Center
    • Configuring Alert Settings
  • Mobile App
  • Get Remote Support
  • Security
    • Two Factor Authentication
    • RadSec Certificate
  • Report
  • Appendix
    • Access Point LED Behavior
    • ESG LED Behavior
    • SSID Troubleshooting Naming Rules
    • Firewall rules
      • Global Site
      • Japan Site
  • Configuration Guide
    • SAML SSO with ADFS
Powered by GitBook
On this page
  • The Needs / Function Introduction
  • How it works
  • Deny "Private Address" Setting
  • Example Configuration

Was this helpful?

Export as PDF
  1. Configuring Networks
  2. Configuring Access Points
  3. Configuring SSIDs

Layer 3 (L3) outbound firewall

Last updated 7 hours ago

Was this helpful?

The Needs / Function Introduction

As more and more devices are connecting to networks through Wi-Fi — laptops, phones, IoT devices, etc. And with all that wireless traffic, it’s becoming really important to control where those devices can go, especially when they try to access wired devices or the Internet.

That’s where the Layer 3 outbound firewall comes in. It gives us, as network admins, better control over outbound traffic from wireless clients.

With these firewall rules, we can decide whether to allow or block traffic going from Wi-Fi clients to the wired LAN or the Internet. This feature helps improve network security by managing outbound traffic from wireless clients to other network resources.

How it works

L3 firewall rules are defined to evaluate outbound traffic that is directed from wireless clients to the wired LAN or the Internet. The key components of how this works are as follows:

  • Top-Down Evaluation: Firewall rules are processed from top to bottom.

  • First Match Applies: The first rule that matches the traffic is applied, and all subsequent rules are ignored.

  • Default Rule: If no rule matches, the default rule is applied, which allows all traffic by default.

  • Stateless Behavior: L3 firewall rules are stateless, meaning each packet is evaluated independently, without tracking session state or connection history.

  • Rule Number Limit: Each AP supports up to 256 user-defined Layer 3 firewall rules.

Deny "Private Address" Setting

A key L3 firewall rule is the "Private Address" default rule, which allows administrators to easily and quickly control whether wireless clients can access wired and wireless devices within private address ranges

A common use case for this rule is in a "Guest SSID" scenario. By changing the policy for traffic destined to the private address from Allow to Deny, clients on the guest SSID will be prevented from accessing the private address but will still be able to connect to the Internet. This feature works in both Bridge Mode and NAT Mode.

  • 10.0.0.0/8

  • 172.16.0.0/12

  • 192.168.0.0/16

Configuring the Private Address Deny Rule

To configure the Private Address Deny rule, follow these steps:

  1. Navigate to Configure > Access Point > Select SSID > Firewall

  2. Click the Edit button and then change the "Policy" for the row with Destination as Private Address from Allow to Deny.

  3. Click Apply to save changes at the top right of the page.

Better to konw

If clients on this SSID need access to other subnets within the RFC1918 private address spaces, you'll need to configure an additional Layer 3 firewall rule to allow traffic to those subnets. This rule should be placed above the Private address rule in the list

Example Configuration

In this case, we want to block traffic from the 10.0.0.0/8 network to the 192.168.1.0/24 network but allow access to other remote networks like the Internet.

Here’s how it works with the rules:

  • Rule 1: Any traffic from 10.0.0.0/8 to 192.168.1.0/24 is blocked because it matches this rule with a "Deny" action.

  • Rule 2/3: The default rule allows all other traffic, so if traffic does not match Rule 1, it will be allowed.

As a result, traffic to the 192.168.1.0/24 network is blocked, while all other traffic — including Internet access and private addresses such as 172.16.1.1 — is still allowed.

Must know

ECW AP Firmware: v1.x.95 or above

For this firewall rule, private addresses refers to any destination IP address within the private address spaces:

RFC1918
Layer 3 Outbound Firewall Rules