Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unifi guest portal not working when Sophos Firewall is between guest & production VLANs

Hi all,

Been fighting a problem with set up of a Unifi system in which we are using Sophos XG115 as our core router and firewall.

We are using Unifi Cloud Key and want a guest wireless network to exist in VLAN 20.  We also want to use the guest portal feature on the Unifi Cloud Key Controller in order to authenticate our guests.

Before going through the details, I have this exact environment with the same network switch, Unifi gear, etc., working in another installation in which the only real difference is I'm using Ubiquity Edgerouter-X as the router/firewall.  When Sophos is involved it does not seem to work and Ubiquity can't point me in the right direction or tell me why.

1. Sophos XG115.

2. HP Procurve 1820-48PoE switch.

3. Unifi Controller (Cloud Key)

4. Unifi APs.

In Sophos I have built a Guest Zone, created a network interface in VLAN 20, assigned a routing interface on the XG firewall and created a DHCP server for the clients.  For testing purposes I have created a FW rule between my Guest and LAN zones in which all traffic is being allowed.

If I simply use a WPA password (or no password) the guests authenticate onto the network and everything is peachy.  Similarly if I put the guests into the default LAN zone (not VLAN 20) and point them to the guest portal, the guest portal is displayed, the guests can authenticate and life is good.

As soon as guest network is in VLAN 20 and the guest portal is being used, the guests never get to the portal and life is not good.  I can manually authenticate the guests and get them to work, additionally, all traffic between the VLANs/zones appears to be working as long as I manually authenticate the guests or disable the portal.

Ubiquity has not been able to direct me to the specific log entries in their equipment to diagnose this.  A PCAP of the traffic out of the Cloud Key and the APs seems to show that there is never an offer made to the clients about where the guest portal is, the clients (Apple for example) end up going to an internet default location to look for the guest portal.  This is where I become suspicious that maybe somehow Sophos is blocking the traffic since I have this working in another installation with the only difference being the router/firewall.

From the Sophos perspective how can I prove that Sophos is not causing this problem? Ubiquity indicated that they have no known working configurations with Sophos and can't comment on how the Sophos needs to be configured to work properly with their equipment.  It's all rather frustrating.  If I can definitely prove that the Sophos is not killing the traffic then maybe I can get Ubiquity to take the problem seriously and help me get it resolved.

I've included some screenshots of the LAN configuration and FW rules, I suppose it's possible due to my unfamiliarity with Sophos gear that I've missed something obvious that is causing the problem.

 



This thread was automatically locked due to age.
Parents
  • Bump....

     

    Anyone?

     

    Unifi have pretty much bailed on helping with any troubleshooting of this even though the data I have indicates they might not be behaving properly.

  • Hi,

     I assume you have firewall rules allowing traffic?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, I have rules allowing all traffic between my guest zone and the LAN zone. 

    I also don't have any log entires in the firewall when the failure occurs.

    I can post screenshots if that would be helpful.

    Honestly the most frustrating part of troubleshooting this is that other than the firewall and switch this is a Ubiquity solution but they've pretty much given up offering any help in troubleshooting it.

     

    They can't even provide me with basic information like what log entries to look for when the portal is being served and what should show up in a packet trace from the portal & the APs when a guest connects and needs to be directed to the portal for authentication. 

Reply
  • Yes, I have rules allowing all traffic between my guest zone and the LAN zone. 

    I also don't have any log entires in the firewall when the failure occurs.

    I can post screenshots if that would be helpful.

    Honestly the most frustrating part of troubleshooting this is that other than the firewall and switch this is a Ubiquity solution but they've pretty much given up offering any help in troubleshooting it.

     

    They can't even provide me with basic information like what log entries to look for when the portal is being served and what should show up in a packet trace from the portal & the APs when a guest connects and needs to be directed to the portal for authentication. 

Children
No Data