Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 5 subscribers
  • Views 24201 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help With weird Wireless problem on AP50

SilverSurfer
Hi All

Looking for some ideas on whats wrong with my setup.

I have used the AP50 for a long time now with a Private WLAN bridged to AP LAN all working fine

Yesterday I created (added) a Public WLAN (for guest internet access) to a separate zone (wlan0)
I've added a DHCP server to Public WLAN
Masqueraded Public WLAN to WAN
Added a firewall rule to allow all from Public WLAN to any ip
Added Public WLAN to allowed networks in DNS
I've turned off (for debugging) IPS,Filtering,Visibility

When I connect my laptop to the Public WLAN SSID it connects and gets an ip address from the dhcp server. I can do an nslookup to google.com and ping google.com.
I cannot browse the web although facebook half loads the page
In a the browser google.com,slashdot.org,bbc.co.uk,ebay.co.uk won't load

Teamviewer host does connect OK
Dropbox has error "Cannot establish a secure connection"
Imap mail client connects OK (I monitor the imap server) but does not download any "messages"

I'm kinda at a loss at the moment, any ideas ?


This thread was automatically locked due to age.
  • 0
    Added a firewall rule to allow all from Public WLAN to any ip

    You probably want 'Public WLAN (Network) -> Any -> Internet' instead.

    Added Public WLAN to allowed networks in DNS

    Unless you have specific things on your LAN that they should be able to reach, I wouldn't recommend that - let them use public DNS.

    Check the Web Filtering log file to be sure they're not going through that.  If that doesn't help, try #1 in Rulz.  Any luck?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    You probably want 'Public WLAN (Network) -> Any -> Internet' instead.


    Unless you have specific things on your LAN that they should be able to reach, I wouldn't recommend that - let them use public DNS.

    Check the Web Filtering log file to be sure they're not going through that.  If that doesn't help, try #1 in Rulz.  Any luck?

    Cheers - Bob


    Thanks for the input Bob

    I started from a clean install (don't ask as it all went foobar !!) restored my backup and then removed all wireless defs, then did a factory reset of all things wireless and used the wizard. - No luck

    I did try 'Public WLAN (Network) -> Any -> Internet' as well but no luck

    and as suggested removed the DNS allowance for the guest network, I changed the dhcp server to give out 8.8.8.8 as DNS and added dns service to firewall rules

    this had no effect.

    What is really strange is even though the guest wlan is now separate (not even dns from my internal server) Teamviewer (application) still works as does facebook (in a browser) !! but not any other website that I have found (its not a cache)
    from a client on the wlan I can ping ok and do DNS just weird !!

    I've disabled IPS, filtering ATP all to no avail.
  • 0 in reply to SilverSurfer
    Do you have an MASQ rule in place?
    Do some of these site try to use the web proxy?

    Ian

    Ian,

    home UTM 9.x running in ESXi 6 e3-1275v2

    AP55c and AP10 (courtesy Astaro)

    Three other UTMs, SUM and SFM in hibernation

    XG 15.x MR3 in hibernation

  • 0
    Do you have https scan on proxy on?
    for testing only, disable webproxy and set up a WIRELESS -> ANY -> INTERNET packet filter.
    you should see in packetfilter log the requests.

    Sophos Platinum Partner 
    Sophos Certified Architect
    (Ceritfied UTM Architect / Certified XG Architect)

  • 0
    Hi, i thouht that i would be alone with that and now ive found that thread. We have exactly the same issue as you. I am very surprised how you solved that incident. I would give more information if needed. Greetings.
  • 0 in reply to x.cr3w
    Hi, i allow myself to answer you suggestion: we have https scan in our proxy. i deactivated the proxy completely and viewed the packetfilter log. still no luck. the issue still remains. but the packetfilter log show no drops or anything else. everything show green as we know how normaly it looks like.....
  • 0 in reply to maikel_night

    And you have for this interface setted up a masquerading rule? See Network Protection -> NAT -> Masquerading (YOURNETWORK -> UPLINK OR WAN INTERFACE)

    How do you look for the logfiles? Webadmin logviewer? Try SSH because there is no latency.

    Sophos Platinum Partner 
    Sophos Certified Architect
    (Ceritfied UTM Architect / Certified XG Architect)

  • 0 in reply to x.cr3w

    Instead of grepping at the command line, I usually start the relevant Live Logs and watch for activity.  In all but the Firewall log, the relevant line(s) can be copied out of the Live Log.  For the Firewall log, find the corresponding line in the full Firewall log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to x.cr3w

    Yes, i set up a masquerading rule. Just for a try i changed it to nat with no luck. the issue still persists. i can see the packets flowing in firewall live log (webadmin) with no problems....

  • 0 in reply to maikel_night

    sorry, but i have no idea whats the problem is. You wrote you have disabled https scan. Are you sure that your webfilter configuration is correct? i dont hope that the requests comes with false "profiles" to the firewall, and you have turned off https scan for the wrong profile? (in addition you left the https scan in base policy/base profile?). 

    What happened if you create a second SSID? Same issue?

    Do you have another Sophos Access Point Model to test the issue on them?
    If not, you can reflash your Access point 
    www.sophos.com/.../118843.aspx

    Do you have tried different clients (eg. notebook,smartphone,..)?

    i had a long time ago the problem, when i was connected to a different SSID on the same UTM, getted from the DHCP Server a lease and then changed to the guest ssid. The UTM had a lot of troubles to handle the requests from the guest-ssid because there was another active lease with same mac on the other SSID (DHCP Serve was also from utm) (i believe it was an bug which has been fixxed :>)

    Sophos Platinum Partner 
    Sophos Certified Architect
    (Ceritfied UTM Architect / Certified XG Architect)

Unfiltered HTML