Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 42 subscribers
  • Views 1480 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Separated zone clients are unable to surf on internet

lferrara

Hi All, 

I have 3 APX 320 connected in Mesh on 5 Ghz. Only the first AP is connected to LAN, while the others are meshed. One Wi-Fi is bridged to AP lan, and users are able to surf. I have also created another wifi (guest) as separated zone. Clients receive the IP but they are not able to surf and sometimes surfing is very slow.

Wi-Fi zone to WAN firewall rule is ON and it is the first rule.

NAT has been created.

Reboot and AP hard reset has been performed

The rule does not use any web filtering (either proxy or SSL inspection).

Drop-packet capture shows only multicast traffic, nothing else.

Any help?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    To clarify, you set up separate SSIDs on your APs for guests, each associated with a VLAN and the VLAN associated with a Zone? The only difference from what I and many others might have is that you have two of the APs connected via a mesh backhaul. Are you using 5GHz for the backhaul and 2.4GHz for the clients, or are you running the AP in dual 5GHz mode?

  • 0 in reply to Wayne Folta

    I have a bridged to AP lan wi-fi network and a separated zone. APX 320 are inside a mesh network (5ghz) while users' network are on 2.4 GHz only. 

  • 0 in reply to lferrara

    How do you separate the zone? Forgive my ignorance, but I have three SSIDs: Trusted, IoT, and Guest. The Trusted is bridged onto my internal LAN, while the other two are on their own VLANs, which have their own Zones. Each VLAN has its own DHCP -- I do this on the router, not the AP -- and its own firewall rules to get to the internet. Is this what you're doing except that you're using Mesh for your AP backhaul?

  • 0 in reply to lferrara

    There is a reduction in MTU size, when using separate zones in that particular network segment you are creating with this. This is due to the underlying VX Tunnel technology used to encapsulate the traffic.

    I had this problem myself and used a script to set MTU on the clients to 1320.

    This solved the problems you described immediately.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to lferrara

    There is a reduction in MTU size, when using separate zones in that particular network segment you are creating with this. This is due to the underlying VX Tunnel technology used to encapsulate the traffic.

    I had this problem myself and used a script to set MTU on the clients to 1320.

    This solved the problems you described immediately.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
Unfiltered HTML