Wireless separate zone behind a RED 15W - issues

We currently have a Sophos SG310 running UTM 9.402-7. We have a remote location with a RED 15W in Standard/Unified mode (so all traffic is tunneled to the UTM, internal and external). I am trying to add another wireless network in a separate zone so I can control its traffic separately from the other wireless network. I can connect to the new wireless network without issue and I receive an IP from the DHCP server running on the UTM. I can also resolve DNS and ping out to the internet from the wireless network (ping is low and stable, no observable packet loss), but when trying to load a website, traffic is passing so slowly that the page pretty much never loads. I assume at least some traffic is passing because it never really times out. The browser just sits there like it's waiting for the server. Normally if you have no traffic passing, it's going to timeout within 30 or 60 seconds. That doesn't seem to happen. The other wireless network that is bridged to the LAN works fine.

Troubleshooting: I had to physically drive to the remote location to troubleshoot, so I didn't have a lot of time, but below is what I tried:

I turned off web filtering, and opened up the firewall -> no go.
I rebooted the RED and tried toggling the interface, NAT, and firewall rules on the UTM off and back on -> no go.
I tried adjusting the MTU on the interface -> no go.
I tried removing the wireless network from the AP and re-attaching it -> no go.

Below is an overview of the configuration:

Wireless Protection > Wireless Networks: Created a new wireless network:

SSID: Test-Network
Encryption: WPA2 Personal
Algorithm: AES
Client Traffic: Separate Zone
Client Isolation: Disabled

Access Points: Attached Wireless Network to the RED Access Point - the network shows up and can connect to it without issue

Interfaces: I created an interface using wlan2 that was created for the wireless network

Name: Test-Network
Type: Ethernet
Hardware: wlan2 (Remote Wireless Network)
IPv4 address: 10.2.1.1
Netmask /24
MTU: 1500 (same as all the other interfaces)

Network Services > DHCP: Created DHCP server for the wireless network - seems to work fine. Devices connecting to the wireless network get an IP as they should

Interface: Test-Network
Range start: 10.2.1.100
Range end: 10.2.1.254
DNS is set to Google
Default gateway: 10.2.1.1

Network Protection > Firewall: I created a rule to allow DNS, HTTP, HTTPS, PING services from Test-Network (Network) to Internet IPv4

Network Protection > NAT: Created a new Masquerading Rule for Test-Network (Network) > External (same as most of the other networks)

I also setup Web filtering, but I won't even bother posting that config here as I have the issue even with web filtering turned off.

Any clues? Is there something obvious i'm missing? Is there a better way to accomplish this? Any help is appreciated. Figured i'd try here before opening a support ticket.

  • I'm having the same issues.

     

    Anyone have any thoughts?

     

    Thanks!

  • Do #1 in Rulz - I don't expect that to help, but those logs should be looked at to be able to eliminate many possible causes.  You probably want to look at the RED and Wireless Protection logs, too, before you do a tcpdump on wlan2.

    Any luck with any of that?

    Cheers - Bob

  • In reply to BAlfson:

    BAlfson

    Do #1 in Rulz - I don't expect that to help, but those logs should be looked at to be able to eliminate many possible causes.  You probably want to look at the RED and Wireless Protection logs, too, before you do a tcpdump on wlan2.

    Any luck with any of that?

    Cheers - Bob

     

    I toggled IPS and Advanced Threat Protection off completely, guess I forgot to mention that in the first post. It didn't help. I couldn't see anything in the logs that would indicate an issue with traffic flow and no traffic was being denied unexpectedly. I didn't touch Application Control, so that's something I could try, but that would be really odd.

    I have a ticket open with support and am supposed to have a call with an engineer this afternoon, so we'll see how that goes.

    Thanks!

  • In reply to JasonWalker:

    "I toggled IPS and Advanced Threat Protection off completely" - hmmm, I guess that means you didn't check the Intrusion Prevention log for the other things in there unrelated to Snort...

    Cheers - Bob

  • In reply to BAlfson:

    BAlfson

    "I toggled IPS and Advanced Threat Protection off completely" - hmmm, I guess that means you didn't check the Intrusion Prevention log for the other things in there unrelated to Snort...

    Cheers - Bob

     

    JasonWalker
    I couldn't see anything in the logs that would indicate an issue with traffic flow and no traffic was being denied unexpectedly.

    I've spent hours scouring the logs. I can see where you're heading, so I'll let Sophos support take it from here. I guess that's what we pay them for. Thank you for the help.

  • In reply to JasonWalker:

    It is a mystery, then.  Please let us know what Support discovers.

    Cheers - Bob

  • In reply to BAlfson:

    A support engineer spent an hour and a half and didn't get anywhere, so it's been escalated.

  • In reply to JasonWalker:

    Hi,

     

    Im experiencing exactly the same issue with near identical setup except the IPs are different. Firmware of UTM is 9.510-5

     

    Interestingly, I have some RED sites with APs working fine and others don't even though same wifi network, etc etc

     

    Have had to log a call with Sophos and hoping to post resolution to this unless one already exists?

  • In reply to SGICT:

    FIXED!

    After a month of working with Sophos technical support, didn't get anywhere with this, they were completely stumped so I battled on with this on my own and nailed it, well for my customer anyway.

    I had to set the MTU size of wireless network which I wanted to isolate to 1100 from 1500 and alter the primary DNS of the DHCP scope on the UTM for this wireless network to Google DNS from the UTM's own one even though I had allowed it to query DNS engine on there.

    What is really odd is some sites were working fine before this change but others weren't. The sites that didn't work still functioned fine for a wifi network set to AP Bridge to LAN, it was only separate LAN that broke.

    Very odd but hope this helps anyone who has this issue.