Walled garden not working as expected

Hi folks,

I want to use my Hotspot based on vouchers where I can force a number of clients to automatically skip entering a voucher key.

Running v18.0.4 I see an option in 'Hotspot settins' named 'Walled Garden' where help section tells me:

To specify networks that can be accessed by users who do not pass authentication, click Add new item, select networks or hosts, and click Apply.

I tried with fixed MAC-Adress and fixed IP-Adress (while reserved this on the DHCP for a specific client), but after connecting to the hotspot the voucher still needs to be entered before accessing desired network ressources.

Any suggestions?

  • I temporarily checked all options for WiFi Zone under SYSTEM - Administration - Device access without success.
    Another thing is: If i put a subnet into walled garden networks I am not able to access the captive portal which is prompting for voucher code neither having internet access...

  • Hello Njabi,

    Thank you for contacting the Sophos Community!

    Can you try creating a firewall additional to the one the Hotspot creates automatically with source Zone as Wifi and Destination Zone (the zone where the Networks you are entering in the Walled Garden are located) and Destination Network = The Networks/IPs/URLs that should have access according to the Walled Garden

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    thanks for your reply. Tried that before without success Disappointed
    WIFI - ANY to WAN any any

  • Hello Njabi,

    Thank you for the follow-up.

    If you confirmed you also have the NAT rule for this traffic, and is still nor working please open a case with support and send me the Case ID, so I can follow-up.

    When opening the case, please provide a screenshot of 

    1. Default Firewall Rule created by the hotspot

    2. Additional Firewall rule created for the Wifi to WAN or LAN zone

    3. NAT rule for the Additional Firewall rule

    4. Hotspot configuration

    5. Walled Garden Allowed hosts/networks 

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • After a deeper research on this case I figured out a misunderstanding of walled garden function.

    in 'walled garden' you are able to specify hosts or networks that can be accessed from hosts connecting to the hotspot without entering a voucher/password or accept agreement.
    My understanding was: You can add specific hosts by giving e.g. MAC-addresses which are still able to reach any desired network ressource (WAN) without entering the voucher/...

    In addition to this I found out: If you have devices connected to a hotspot wifi they will be able to connect to each other, no matter if they even entering the captive portal site or not - this feels logical to me because they are connected to the same subnet. If you have the client-isolation on the wifi'ssettings enabled this won't work!

  • Hello, do you have a solution? I'm also on XG 18.04 and the exclusions hosts or networks in walled garden do not work 

  • can you quick describe your goal in your scenario, please?

  • I have a Wi-Fi network and I have guests and residents. The guests use the voucher and I made a DHCP reservation for the residents. I added residents' IPs in Walled garden so that it goes over the captive portal and can connect directly to the Internet.