Lan to Wifi separate zone not working

RE: Lan to Wifi separate zone not working

rfcat_vk — Wed, 05 Feb 2020 05:42:37 GMT

Hi Mario,

you are lucky to get it working. I had to delete mine because I was getting too many IPS hits even with IPS with disabled and DOS unticked and finally ATP disabled.

So, back to another reconfigure to get IoT devices working, so another AP installed to isolate the devices to their own physical network.

Ian

RE: Lan to Wifi separate zone not working

Mario Ostwald — Tue, 04 Feb 2020 17:33:27 GMT

Thanks to Mr Patel added some static routes over cli and now it works as a workaround. Will be fixed in v18.GA.

RE: Lan to Wifi separate zone not working

rfcat_vk — Sat, 01 Feb 2020 09:37:03 GMT

Hi Mario,

using the SD-WAN policy allows me to get the LAN to separate zone working, just you have to have a WAN entry.

Ian

RE: Lan to Wifi separate zone not working

Mario Ostwald — Sat, 01 Feb 2020 09:24:02 GMT

Yes i see no drops, too. You use the sd wan policy for the routing to the separate zone? Wan is not my problem.

LAN -> Wifi in separate zone doesnt work.

RE: Lan to Wifi separate zone not working

rfcat_vk — Fri, 31 Jan 2020 23:58:42 GMT

Hi Mario,

I have found a temporary solution, it works but not very well. I setup an SD-WAN policy route which has some strange requirement to use an the XG external gateway for internal traffic and you cannot ignore the setup. Also the help information when you move a mouse over the objects is useless and needs to be brought up to the same standard as other policy/rules.

In the migrated sd-wan policies you are shown a firewall rule, but only of the external access, there are no sd-wan policoes created during migration for the internal access firewall rules.

SD-WAN only allows one session where as a firewall rule allows multiple sessions to the same device. Throughput while I can't test and provide actual values is just plain painfully slow.

I tried using the Static routing and that is just plain silly/not logical, you must have a gateway that is in the same IP range as your interface, they are the same thing. so that doesn't work.

In the end v18 GA should make all this SD-WAN routing redundant when the fixes are applied.

Ian

The setup to fix the bug, does leave a question about the migrated SD-WAN policy, why were they created, what is missing that needs to have these put in place?

More thoughts on this subject, there is no way of seeing what traffic is passed though the SD-WAN policy (no logs) or how much?

RE: Lan to Wifi separate zone not working

rfcat_vk — Fri, 31 Jan 2020 10:22:10 GMT

Hi Mario,

not that I have found yet, I am still in the process of fixing a number of items I broke during the migration from VLANs.

Ian

RE: Lan to Wifi separate zone not working

Mario Ostwald — Fri, 31 Jan 2020 08:20:07 GMT

Hi Ian, so you can reproduce the problem as well? Is there any workaround this?

RE: Lan to Wifi separate zone not working

GavinDaniels — Fri, 31 Jan 2020 05:52:37 GMT

Hey Ian,

You are correct, I tested that as well.

And it is not an issue related to V17 migration, as I reset my XG125 to factory defaults after EAP3R1 and have set it up completely from scratch. No backup import.

RE: Lan to Wifi separate zone not working

rfcat_vk — Fri, 31 Jan 2020 05:49:47 GMT

Doesn't make any difference if it is a WIFI or seperate zone.

Ian

RE: Lan to Wifi separate zone not working

GavinDaniels — Fri, 31 Jan 2020 00:38:39 GMT

Just set up a test, and actually seeing what I expect is the same result as you.

Basic setup,

Created new 'LAN' Zone for Wifi

Created Wifi SSID as new zone, client isolation disabled.

Created firewall rules for Lan to Wifi Zone and seperate rule for Wifi Zone to Lan

DHCP for Wifi Zone done on Sophos

All services allowed

From the Wifi devices (ipad, Iphone, Laptop) I can ping each other, and I can ping anything on the LAN (PC, NAS, ECT)

From the Lan devices or the Sophos Firewall I cannot ping a device on the Wifi Zone

I also tried setting the Wifi setup back to the default WIFI zone, still no go.

I believe that the Wifi Zone is right, because I have a seperate WIFI Zone to WAN rule, and after changing the WIFI SSID to the default WIFI zone, then I lost internet access on the Wifi Devices.

So I will agree with you, an introduced bug in V18

RE: Lan to Wifi separate zone not working

Mario Ostwald — Fri, 31 Jan 2020 00:14:28 GMT

here is the other direction.

RE: Lan to Wifi separate zone not working

GavinDaniels — Thu, 30 Jan 2020 23:21:50 GMT

Can you please post your other rule.

RE: Lan to Wifi separate zone not working

Mario Ostwald — Thu, 30 Jan 2020 23:16:55 GMT

That is not the problem, i have added a rule for the other direction, too.
I think it must be a bug...

RE: Lan to Wifi separate zone not working

Apurv Patel — Thu, 30 Jan 2020 14:24:39 GMT

Hi Mario,

Thanks for device access and live debug session.

We are tracking this issue with Jira ID NC-55640.

RE: Lan to Wifi separate zone not working

GavinDaniels — Thu, 30 Jan 2020 13:19:08 GMT

Hey

That is a rule for one direction.

Where is the return rule to allow the WifiRestricted traffic back to the Lan?

It may be included in another rule, but if you upgraded from V17 to V18 the return rule may have been lost.

I did notice that my initial V18 upgrade lost some rules.

RE: Lan to Wifi separate zone not working

Apurv Patel — Thu, 30 Jan 2020 10:08:28 GMT

Hi Mario,

Thanks for your feedback, I will send you PM for more details purpose.