Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unifi guest portal not working when Sophos Firewall is between guest & production VLANs

Hi all,

Been fighting a problem with set up of a Unifi system in which we are using Sophos XG115 as our core router and firewall.

We are using Unifi Cloud Key and want a guest wireless network to exist in VLAN 20.  We also want to use the guest portal feature on the Unifi Cloud Key Controller in order to authenticate our guests.

Before going through the details, I have this exact environment with the same network switch, Unifi gear, etc., working in another installation in which the only real difference is I'm using Ubiquity Edgerouter-X as the router/firewall.  When Sophos is involved it does not seem to work and Ubiquity can't point me in the right direction or tell me why.

1. Sophos XG115.

2. HP Procurve 1820-48PoE switch.

3. Unifi Controller (Cloud Key)

4. Unifi APs.

In Sophos I have built a Guest Zone, created a network interface in VLAN 20, assigned a routing interface on the XG firewall and created a DHCP server for the clients.  For testing purposes I have created a FW rule between my Guest and LAN zones in which all traffic is being allowed.

If I simply use a WPA password (or no password) the guests authenticate onto the network and everything is peachy.  Similarly if I put the guests into the default LAN zone (not VLAN 20) and point them to the guest portal, the guest portal is displayed, the guests can authenticate and life is good.

As soon as guest network is in VLAN 20 and the guest portal is being used, the guests never get to the portal and life is not good.  I can manually authenticate the guests and get them to work, additionally, all traffic between the VLANs/zones appears to be working as long as I manually authenticate the guests or disable the portal.

Ubiquity has not been able to direct me to the specific log entries in their equipment to diagnose this.  A PCAP of the traffic out of the Cloud Key and the APs seems to show that there is never an offer made to the clients about where the guest portal is, the clients (Apple for example) end up going to an internet default location to look for the guest portal.  This is where I become suspicious that maybe somehow Sophos is blocking the traffic since I have this working in another installation with the only difference being the router/firewall.

From the Sophos perspective how can I prove that Sophos is not causing this problem? Ubiquity indicated that they have no known working configurations with Sophos and can't comment on how the Sophos needs to be configured to work properly with their equipment.  It's all rather frustrating.  If I can definitely prove that the Sophos is not killing the traffic then maybe I can get Ubiquity to take the problem seriously and help me get it resolved.

I've included some screenshots of the LAN configuration and FW rules, I suppose it's possible due to my unfamiliarity with Sophos gear that I've missed something obvious that is causing the problem.

 



This thread was automatically locked due to age.
Parents
  • Hello people.

    I have the same problem. Have you managed to find a solution to this?

  • Ubiquity was worthless and their support engineers are liars so I gave up and ended up using the guest portal in the Sophos instead. I just put the Unifi guest network into a VLAN and set it up in the Sophos as a network that required guest portal.

  • Its nothing to do with the Ubiquiti kit, it has to be the XG.

    I've been running Ubiquiti and a guest WiFi network setup exactly the same way as you but instead of an XG i've been running a Sophos UTM for the last 3 years. Absolutely no problems and everything working.

    I swapped the UTM for an XG 3 days ago and have configured all the same rules and it just doesnt work. I've wasted 2 days and got nowhere.

    If i disable the guest portal within the Cloudkey the wireless network is good so i know all the basic networking and connectivity is OK.  Other than that all thats required is a policy to allow traffic from the guest network to the cloudkey on tcp8880 and tcp8843 for the portal and dns working to resolve the hostname of the cloudkey.  All components individually are there but it just doesnt work with the XG.  We're talking just straight basic ACL's too....no fancy inspection on any of the policies.

  • That may be true but was not evidenced in the sniffs I took which showed packets hitting the Unifi but the Unifi not responding.

    I do have the guest portal working to some degree with a Fortigate so I will acknowledge that it is possible the XG is causing problems but Unifi would have to put some skin in the game to help narrow down and prove that.

Reply
  • That may be true but was not evidenced in the sniffs I took which showed packets hitting the Unifi but the Unifi not responding.

    I do have the guest portal working to some degree with a Fortigate so I will acknowledge that it is possible the XG is causing problems but Unifi would have to put some skin in the game to help narrow down and prove that.

Children
No Data