TV box connected to Wifi can connect to VPN, while wired cannot

I have TV boxes that require vpn connection. 

My Unifi APs have 3 SSIDs.  SSID1 is not joined to any VLAN.  SSID2 and SSID3 are in different VLANs, and belong to different subnets.  Since SSID1 is not in any VLAN, it gets the same IP address as wired.  Since it's not on separate VLAN, I assume it will be using my default firewall rule, where all wired ports go.  SSID2 and SSID3 each have their own firewall rules. 

My problem is, when connected to the Wifi (all three VLAN), my vpn doesn't have a problem.  When connected wired, my vpn can't connect.  It encounters problem.

When I say SSID1 is not in any VLAN, it means I didn't set the SSID to be in a separate subnet.  

Please help.

  • jang430,

    please check the drop-packet-capture "host x.x.x.x" where x.x.x.x is the ip you receive when you are connected to wired.

    community.sophos.com/.../127111

    Regards

  • In reply to lferrara:

    Got this while VPN not connected.  When VPN attempts to connect and fails, my tv box's network gets disabled.

     

    drop-packet-capture 'host 192.168.1.176"

    2020-02-15 15:53:19 010202130 IP 192.168.1.176.44336 > 104.218.60.190.2086 : proto TCP: F 2216542183:2216542345(162) win 24576 checksum : 26965

    0x0000:  4500 00ca aa1c 4000 4006 2821 c0a8 01b0  E.....@.@.(!....

    0x0010:  68da 3cbe ad30 0826 841d bfe7 efed c9dc  h.<..0.&........

    0x0020:  5019 6000 6955 0000 4745 5420 2f70 6c61  P.`.iU..GET./pla

    0x0030:  7965 725f 6170 692e 7068 703f 7573 6572  yer_api.php?user

    0x0040:  6e61 6d65 3d6a 616e 6734 3330 2670 6173  name=JXXX***&pas

    0x0050:  7377 6f72 643d 5471 6266 6a6f 376c 6420  sword=XXX***XXX.

    0x0060:  4854 5450 2f31 2e31 0d0a 486f 7374 3a20  HTTP/1.1..Host:.

    0x0070:  3030 3130 302e 636f 3a32 3038 360d 0a43  00100.co:2086..C

    0x0080:  6f6e 6e65 6374 696f 6e3a 204b 6565 702d  onnection:.Keep-

    0x0090:  416c 6976 650d 0a41 6363 6570 742d 456e  Alive..Accept-En

    0x00a0:  636f 6469 6e67 3a20 677a 6970 0d0a 5573  coding:.gzip..Us

    0x00b0:  6572 2d41 6765 6e74 3a20 6f6b 6874 7470  er-Agent:.okhttp

    0x00c0:  2f34 2e33 2e31 0d0a 0d0a                 /4.3.1....

    Date=2020-02-15 Time=15:53:19 log_id=010202130 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=68:1d:ef:1c:6d:f9 dest_mac=0c:c4:7a:08:80:3d l3_protocol=IP source_ip=192.168.1.176 dest_ip=104.218.60.190 l4_protocol=TCP source_port=44336 dest_port=2086 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

     

    2020-02-15 15:54:04 010202130 IP 192.168.1.176.44336 > 104.218.60.190.2086 : proto TCP: F 2216542183:2216542345(162) win 24576 checksum : 26965

    0x0000:  4500 00ca aa1d 4000 4006 2820 c0a8 01b0  E.....@.@.(.....

    0x0010:  68da 3cbe ad30 0826 841d bfe7 efed c9dc  h.<..0.&........

    0x0020:  5019 6000 6955 0000 4745 5420 2f70 6c61  P.`.iU..GET./pla

    0x0030:  7965 725f 6170 692e 7068 703f 7573 6572  yer_api.php?user

    0x0040:  6e61 6d65 3d6a 616e 6734 3330 2670 6173  name=JXXX***&pas

    0x0050:  7377 6f72 643d 5471 6266 6a6f 376c 6420  sword=XXX***XXX.

    0x0060:  4854 5450 2f31 2e31 0d0a 486f 7374 3a20  HTTP/1.1..Host:.

    0x0070:  3030 3130 302e 636f 3a32 3038 360d 0a43  00100.co:2086..C

    0x0080:  6f6e 6e65 6374 696f 6e3a 204b 6565 702d  onnection:.Keep-

    0x0090:  416c 6976 650d 0a41 6363 6570 742d 456e  Alive..Accept-En

    0x00a0:  636f 6469 6e67 3a20 677a 6970 0d0a 5573  coding:.gzip..Us

    0x00b0:  6572 2d41 6765 6e74 3a20 6f6b 6874 7470  er-Agent:.okhttp

    0x00c0:  2f34 2e33 2e31 0d0a 0d0a                 /4.3.1....

    Date=2020-02-15 Time=15:54:04 log_id=010202130 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=68:1d:ef:1c:6d:f9 dest_mac=0c:c4:7a:08:80:3d l3_protocol=IP source_ip=192.168.1.176 dest_ip=104.218.60.190 l4_protocol=TCP source_port=44336 dest_port=2086 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

  • In reply to jang430:

    Thanks.

    It seems that port TCP 2086 is not opened at all on firewall rules. Can you share the firewall rules?

    Thanks

  • In reply to lferrara:

    My default rule:

    Source- LAN

    Source network and devices- Any

    All the time

    Destination- WAN

    Destination networks- any

    Services-any

    Identity-unticked

    Web malware and content scanning

    Ticked- Scan HTTP/ Block Google Quic/ Scan FTP for malware

    Unticked- Decrypt & scan HTTPS/ Detect zero-day threats with Sandstorm

    Advanced

    Intrusion Prevention- lantowan_general

    Traffic shaping policy- none

    Web policy- No ads or Explicit Content   Apply web-category-based traffic shaping- Unticked

    Application Control- Allow all   Apply aplication-based traffic shaping policy- ticked

    Log firewall traffic- ticked

  • In reply to jang430:

    BTW, port 2086 is while watching IP TV.  My main use is to watch youtube, with VPN turned on.  Shall I repeat steps while watching youtube?    Even with VPN disconnected?  As discussed above, with VPN connection attempt (while wired), my lan ends up disabled.  With Wireless connection, it stays connected, and I can watch youtube with no issues.

  • In reply to jang430:

    Yes, please simulate the issue while drop-packet-capture and tcpdump are running.

    Thanks

  • In reply to lferrara:

    While vpn app running, I plugged in the LAN to get connection.  After a few seconds, I get disconnected. 

    drop-packet-capture 'host 192.168.1.176'
    2020-02-15 16:55:49 0101021 IP 192.168.1.176.37275 > 216.58.221.234.443 : proto UDP: packet len: 1358 checksum : 45081
    0x0000: 4500 0562 c849 4000 4011 f4c3 c0a8 01b0 E..b.I@.@.......
    0x0010: d83a ddea 919b 01bb 054e b019 0d15 cf24 .:.......N.....$
    0x0020: e313 4989 db51 3033 3901 bb78 33da a6d3 ..I..Q039..x3...
    0x0030: 3940 f290 570b a001 0514 4348 4c4f 1200 9@..W.....CHLO..
    0x0040: 0000 5041 4400 d503 0000 534e 4900 ec03 ..PAD.....SNI...
    Date=2020-02-15 Time=16:55:49 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=2 source_mac=68:1d:ef:1c:6d:f9 dest_mac=0c:c4:7a:08:80:3d l3_protocol=IP source_ip=192.168.1.176 dest_ip=216.58.221.234 l4_protocol=UDP source_port=37275 dest_port=443 fw_rule_id=5 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=3 sslvpn_id=0 web_filter_id=6 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=1 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=88 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=570425354 connid=1796900576 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2020-02-15 16:55:49 0101021 IP 192.168.1.176.37275 > 216.58.221.234.443 : proto UDP: packet len: 1358 checksum : 17748
    0x0000: 4500 0562 c84a 4000 4011 f4c2 c0a8 01b0 E..b.J@.@.......
    0x0010: d83a ddea 919b 01bb 054e 4554 0d15 cf24 .:.......NET...$
    0x0020: e313 4989 db51 3033 3902 d279 8c2a 65b0 ..I..Q039..y.*e.
    0x0030: 0776 2ef7 8905 a001 0514 4348 4c4f 1200 .v........CHLO..
    0x0040: 0000 5041 4400 d503 0000 534e 4900 ec03 ..PAD.....SNI...
    Date=2020-02-15 Time=16:55:49 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=2 source_mac=68:1d:ef:1c:6d:f9 dest_mac=0c:c4:7a:08:80:3d l3_protocol=IP source_ip=192.168.1.176 dest_ip=216.58.221.234 l4_protocol=UDP source_port=37275 dest_port=443 fw_rule_id=5 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=3 sslvpn_id=0 web_filter_id=6 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=1 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=88 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=570425354 connid=1796901016 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2020-02-15 16:55:50 0101021 IP 192.168.1.176.37275 > 216.58.221.234.443 : proto UDP: packet len: 1358 checksum : 42545
    0x0000: 4500 0562 c84b 4000 4011 f4c1 c0a8 01b0 E..b.K@.@.......
    0x0010: d83a ddea 919b 01bb 054e a631 0d15 cf24 .:.......N.1...$
    0x0020: e313 4989 db51 3033 3903 a509 dd94 1a3a ..I..Q039......:
    0x0030: 26db 3cd8 225d a001 0514 4348 4c4f 1200 &.<."]....CHLO..
    0x0040: 0000 5041 4400 d503 0000 534e 4900 ec03 ..PAD.....SNI...
    Date=2020-02-15 Time=16:55:50 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=2 source_mac=68:1d:ef:1c:6d:f9 dest_mac=0c:c4:7a:08:80:3d l3_protocol=IP source_ip=192.168.1.176 dest_ip=216.58.221.234 l4_protocol=UDP source_port=37275 dest_port=443 fw_rule_id=5 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=3 sslvpn_id=0 web_filter_id=6 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=1 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=88 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=570425354 connid=1796901016 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2020-02-15 16:55:50 0101021 IP 192.168.1.176.37275 > 216.58.221.234.443 : proto UDP: packet len: 1358 checksum : 41938
    0x0000: 4500 0562 c84c 4000 4011 f4c0 c0a8 01b0 E..b.L@.@.......
    0x0010: d83a ddea 919b 01bb 054e a3d2 0d15 cf24 .:.......N.....$
    0x0020: e313 4989 db51 3033 3904 1c31 04a1 ef76 ..I..Q039..1...v
    0x0030: 1061 b36f 512d a001 0514 4348 4c4f 1200 .a.oQ-....CHLO..
    0x0040: 0000 5041 4400 d503 0000 534e 4900 ec03 ..PAD.....SNI...
    Date=2020-02-15 Time=16:55:50 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=2 source_mac=68:1d:ef:1c:6d:f9 dest_mac=0c:c4:7a:08:80:3d l3_protocol=IP source_ip=192.168.1.176 dest_ip=216.58.221.234 l4_protocol=UDP source_port=37275 dest_port=443 fw_rule_id=5 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=3 sslvpn_id=0 web_filter_id=6 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=1 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=88 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=570425354 connid=1796906296 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

  • In reply to jang430:

    This while vpn enabled  (wirelessly connected) 

    drop-packet-capture 'host 192.168.1.179'
    2020-02-15 17:07:13 010202130 IP 192.168.1.179.39362 > 216.58.200.4.80 : proto TCP: F 2310180621:2310180621(0) win 1386 checksum : 26758
    0x0000: 4500 0028 b0af 4000 4006 2786 c0a8 01b3 E..(..@.@.'.....
    0x0010: d83a c804 99c2 0050 89b2 8f0d dbcb 50aa .:.....P......P.
    0x0020: 5011 056a 6886 0000 0000 0000 0000 P..jh.........
    Date=2020-02-15 Time=17:07:13 log_id=010202130 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=44:ef:bf:64:0a:89 dest_mac=0c:c4:7a:08:80:3d l3_protocol=IP source_ip=192.168.1.179 dest_ip=216.58.200.4 l4_protocol=TCP source_port=39362 dest_port=80 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2020-02-15 17:07:13 010202130 IP 192.168.1.179.39362 > 216.58.200.4.80 : proto TCP: F 2310180621:2310180621(0) win 1386 checksum : 26758
    0x0000: 4500 0028 b0b0 4000 4006 2785 c0a8 01b3 E..(..@.@.'.....
    0x0010: d83a c804 99c2 0050 89b2 8f0d dbcb 50aa .:.....P......P.
    0x0020: 5011 056a 6886 0000 0000 0000 0000 P..jh.........
    Date=2020-02-15 Time=17:07:13 log_id=010202130 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=44:ef:bf:64:0a:89 dest_mac=0c:c4:7a:08:80:3d l3_protocol=IP source_ip=192.168.1.179 dest_ip=216.58.200.4 l4_protocol=TCP source_port=39362 dest_port=80 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A