This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No DHCP Offers in seperate Zone WLAN

Hi there,

today I have faced a weird problem.

I've set up some wireless networks at a customers utm.

All AP's were rolle out to their final location (some of them at the local site, some of them at remote sites)

The remote sites are connected to the main office by MPLS.

All APs showed up in the UTM and had been accepted properly. WLANs are configured as seperate Zone and DHCP Server is configured for this network.

Problem is as following:

Clients in the main office can receive an ip address as expected, clients in the remote office can see SSID and connect but cannot obtain an ip address over DHCP.

 

Any Ideas?

 

Kind regards

Tobias



This thread was automatically locked due to age.
Parents
  • Hmmm, the solution was to enable port 8472 UDP on Firewall. From WiFi Network (AP Network) to AP's.

    In test phase i have enabled it to one AP and was surprised after connecting another AP, that clients do not get IP's on this second AP:)

    So check your Firewall logs:)

  • Hi Vodochnik,

    Can you show us the picture of configuration that gave you the solution to this post

    Thanks

    P.S.- Edited the post for clear reference.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hello sachingurung,

    I already have a solution, screenshots:

    1) Define service under Definitions&Users -> Service Definitions. UDP 8472->8472

    2) Set static DHCP for Access Points (I use another DHCP Server, not Astaro's one) so you can define AP's by IP:

    I have added all AP's to newly created group AP_ALL

    3) Define firewall rule to allow Astaro's DHCP to communicate with AP's:

     

    My setup: 1 intern WiFi network (VLAN 14), is allowed to communicate with other VLAN's in the company, so employees have access to company ressources.
    AP's are living in this VLAN 14, getting static IP's from DHCP.

    Guest Network is separated, separate Zone:

    After you create such a WiFi network, you will have a new virtual interface wlan0 in your system.
    Go to Interfaces&Routing -> Interfaces and create new Interface, name it as you wish and define some network for WiFi guests:

    I choose 172.19.34.0 as it's rarely used. IP above will be a gateway for all guests.

    Now go to Network protection - NAT Masquerading and create NAT rule, so guests get an internet connection:

    Now you have to create a new Astaro DHCP Server, serving clients in guest WiFi:

    Ok, now anybody can connect to unsecured WiFi and has internet access.

    The matter is that guests request an IP from DHCP but DHCP sends an offer to Access Point's IP address, they communicate in their WiFi network, in my case VLAN 14.
    Not in guest's network!
    So you have to enable such communication:)

    Hope, this short howto helps somebody:)

    P.S. I don't allow anybody to use company's WiFi (stupid german laws), so here is hotspot setup (wireless protection -> hotspots):

    Unfortunately, redirecting to landing page (asking for voucher) does not work with https; e.g. if user goes to, say, google, he will not get this page, request just times out!
    I will resolve this by creating a custom voucher template with explicit instructions.

    So go and vote (but I don't think sophos would care about it, it's not astaro anymore :( )

    http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/3473039-hotspot-redirection-also-on-https-access

    http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/12478182-hotspot-redirect-for-clients-starting-with-https-p

     

    Best regards

    Vodochnik

Reply
  • Hello sachingurung,

    I already have a solution, screenshots:

    1) Define service under Definitions&Users -> Service Definitions. UDP 8472->8472

    2) Set static DHCP for Access Points (I use another DHCP Server, not Astaro's one) so you can define AP's by IP:

    I have added all AP's to newly created group AP_ALL

    3) Define firewall rule to allow Astaro's DHCP to communicate with AP's:

     

    My setup: 1 intern WiFi network (VLAN 14), is allowed to communicate with other VLAN's in the company, so employees have access to company ressources.
    AP's are living in this VLAN 14, getting static IP's from DHCP.

    Guest Network is separated, separate Zone:

    After you create such a WiFi network, you will have a new virtual interface wlan0 in your system.
    Go to Interfaces&Routing -> Interfaces and create new Interface, name it as you wish and define some network for WiFi guests:

    I choose 172.19.34.0 as it's rarely used. IP above will be a gateway for all guests.

    Now go to Network protection - NAT Masquerading and create NAT rule, so guests get an internet connection:

    Now you have to create a new Astaro DHCP Server, serving clients in guest WiFi:

    Ok, now anybody can connect to unsecured WiFi and has internet access.

    The matter is that guests request an IP from DHCP but DHCP sends an offer to Access Point's IP address, they communicate in their WiFi network, in my case VLAN 14.
    Not in guest's network!
    So you have to enable such communication:)

    Hope, this short howto helps somebody:)

    P.S. I don't allow anybody to use company's WiFi (stupid german laws), so here is hotspot setup (wireless protection -> hotspots):

    Unfortunately, redirecting to landing page (asking for voucher) does not work with https; e.g. if user goes to, say, google, he will not get this page, request just times out!
    I will resolve this by creating a custom voucher template with explicit instructions.

    So go and vote (but I don't think sophos would care about it, it's not astaro anymore :( )

    http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/3473039-hotspot-redirection-also-on-https-access

    http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/12478182-hotspot-redirect-for-clients-starting-with-https-p

     

    Best regards

    Vodochnik

Children
No Data