The following set of rules have been successfully tested:
Five rules in the Policy:
- First is only to deny all IPv6 traffic.
- Second rule allows traffic from the client (MU) into the AP, basically allows the initial DHCP Discover.
- Third rule is to allow the network DHCP server IP traffic from the wired network to the clients.
- Fourth rule blocks all DHCP Server traffic (destination) from all clients to a DHCP offer.
- Fifth rule is for DNS traffic.
To fully test:
- Place a second DHCP server on the network. Although the second DHCP server replied to the Discovers, the client only accepted the DHCP offer from the true network server.
- Remove the second and third rules, and confirm the test clients do NOT receive an IP address when trying to connect to the test BSSID.