I have router on a stick configured for voice vlan, data vlan, and wifi vlan. The wifi is a cisco AP and has 2 ssids one for internal users which use the data vlan and the other for guest vlan. We do not want anyone on the guest vlan to be able to access the company network only the internet. Without any ACL's apply the users on the guest network can access the network but they can ping the server and anyone on the company network.
I tried to add ACL's on the router so while it drops traffic to the 192.168.2.0 network it doesn't get out to the internet. I tried different combinations but now at this point I'm just confusing myself. I figured I just deny traffic from the 192.168.3.0 network to access the server located at .250 and apply it inbound at the the f0/0.51 but the users don't connect to the wifi then.
The router is a 2811 which is running dhcp for the voice and guest wifi vlan. It forwards outside traffic to the asa 5505 which sits on the edge of the network.
Router IP's are 192.168.2.1 and 192.168.3.1
Router data vlan 192.168.2.0/24
Router guest wifi vlan 192.168.3.0/24
encapsulation dot1Q 51
ip address 192.168.3.1 255.255.255.0
ip access-group 100 in
encapsulation dot1Q 50
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.2.250
access-list 100 deny ip 192.168.3.0 0.0.0.255 host 192.168.2.250
access-list 100 permit ip 192.168.3.0 0.0.0.255 ANY