Sorry for the long post - trying to be thorough.
I’m having what seems to me to be a strange problem, hopefully I am overlooking something simple. I have a small office where the regular office users can browse the web with no problem, but the guest network I set up is erratic. Some web sites will open OK, others time out before they will open. For example, amazon.com opens no problem, weather.com won’t open, but this happens only for devices on VLAN 7 (personal phones and laptops via wireless, a couple of wired desktop computers). Joining the same devices to the regular network on VLAN 1, no problems.
For hosts that connect on VLAN 7, either through the wireless guest network or through physical ports on the switch, DHCP works correctly – they get IP addresses, gateway and DNS from Sophos SG115 on correct guest subnet.
For hosts that connect on VLAN 1, either through wireless or through physical switch ports, DHCP works correctly, getting DHCP info from Windows DHCP server on the InternalLAN subnet.
I should mention that I have this same setup in two other offices and it seems to work okay, the only difference being they have Sophos SG 125 devices and Dell 2848 switches. I’ve gone over the configurations comparing the Sophos settings in these offices to the problem office and can’t see any differences.
At the risk of too much information, one other quirk, maybe related. I have UTM to UTM RED tunnels set up from the main office to each of the remote offices. In the “good” offices, I can log in to the switch’s web interface from the main office through the RED tunnel, no problem. In the “bad” office, I can open the web interface on the remote switch, but I can’t log in – I get “user name or password is missing”. I can remote to a local workstation and log in to it no problem. Doesn’t matter what browser is being used.
I have looked through the firewall, web filtering and intrusion prevention log files and don’t see anything noteworthy. I actually don’t see any traffic in the firewall log from the 10.10.1.0 network.
Thanks for any help or ideas.
My setup:
Sophos SG 115 with UTM 9.414002
Eth0 internal LAN Static 192.168.40.1/24, no gateway
Eth1 WAN static IP from ISP, has default gateway
Guest VLAN – Ethernet VLAN on eth0, VLAN tag 7, IP 10.10.1.1/24, no gateway
DHCP server on Guest VLAN interface
Pool 10.10.1.100 to 10.10.1.199
DNS 8.8.4.4; 8.8.8.8
Default Gateway: 10.10.1.1 (Guest VLAN Interface)
Firewall rules:
Deny Any: Source Guest VLAN (Network), Destination Internal (Network)
Allow Any: Source Internal (Network); Guest VLAN (Network), Destination Any
Allow DNS: Source Any – Destination Any
NAT Masquerading Rules:
Internal (Network) > WAN
Guest VLAN (Network) > WAN
Web Filtering
Default Web Filter
Allowed Networks
Guest VLAN (Network)
Internal (Network)
Operation Mode: Transparent Mode
Default Authentication: none
Enable device specific authentication:
Android: none
iOS: none
Kindle: none
Windows: None
HTTPS: URL filtering only, unchecked “Do not proxy HTTPS traffic in transparent mode.
Switch: Dell 2724
Native VLAN 1
Port 1 (Sophos SG 115): PVID 1, Frame type Admit All VLAN 1 Untagged, VLAN 7 Tagged
Port 19 (Cisco WAP): PVID 1, Frame type Admit All VLAN 1 Untagged, VLAN 7 Tagged
Ports 20 to 24 (Wired Guests): PVID 7, Frame type Admit All, VLAN 7 Tagged (Not a member of VLAN 1)
Wireless:
Cisco Wireless LAN Controller in Main Office
Access Point: Cisco AIR-LAP1141N, AP Mode FlexConnect, Native VLAN 1,
VLAN Mapping: GuestVLAN vlan 7, InternalLAN VLAN 1
Wireless Networks:
InternalLAN
Interface: management (port 1) native vlan 1
FlexConnect local switching enabled
FlexConnect local Authentication enabled
GuestVLAN
Interface GuestVLAN7, VLAN identifier 7
FlexConnect local switching enabled
FlexConnect local Authentication enabled
This thread was automatically locked due to age.
