Hi Community,
we have a sg330 with utm 9.510-5 and startet half a year ago with wireless protection.
AP hardware is all sophos (2x AP 55 + 1 x AP100 and more APs are palnned for the future).
Different WLANs (SSIDs) wer configured for bridge mode (bridged to internal LAN) and associated to the APs an everything works fine.
A few days ago, we tried to start with hotspot configuration after preparing with the recommendations an tutorials (also here in the utm forum) to do that right.
After it didnt work with the predefinde wireless guest network on the virual interface wlan0, we deleted the configuration and startet right from the scratch.
We defined a (sepreated zone interface named HotspotHWS) based on Interface wlan3 (which was offered, when we choosed the interface type ethernet vlan - later on, when the interface was created, we switched from ethernet vlan to ethernet because we didnt want to have tagged frames cause we have no VLANS defined on our switches).
Then defined a hotspot (voucher type) an executed all steps of a hotspot configuration
- Separate Zone Interface adding to the Hotspot
- Separate Zone Network is added to the allowed DNS Networks
- DHCP Service configuration for the seperate zone network (172.30.100.0/24, Standard Gateway (= IP-Address of the virtual wlan3 interface) = 172.30.100.1
- Masquerading of the seperated zone network IPs to the external (WAN-side) interface
- Firewall rule to allow the seperated zone network any Services to the target Internet (not to any, as suggested in this forum by user BAlfson
The results are the following strange behavior of the connected clients (I tested it out with different clients like android tablets, sony smartphones, windows notebokks etc.):
Hotspot functionality like login page (if on tries first to browse an http site rather than a https site for the known reasons), authentication etc. is all fine,
but the problems arise, when the user wants to browse to websites.
Strange is, that ping, traceroute etc. works fine and also even streaming youtube videos (udp traffic?) goes very fluently.
But browsing on nearly any website (no matter whether http oder https) stucks and run into a timeout. The only exception is wikipedia text pages.
When i follow a further link on a wikipedia page to an external site, then the connection stucks again. For test purposes I disabled webfiltering completely.
After checking the firewall reports I noticed hundreds of default drops of type 60001 (input queue) when the client (rsp IP 172.30.100.55) sends a packet to his gateway
172.30.100.1 (the IP of the virtual interface wlan3). That would mean that the access of a host to its own gateway - a very common kiond of communication - is default dropped ?!
Beside the hundreds of drops of type 60001 there are a (very) few other default-drops of the 6000x numberd types like 60002, 60003 and 60004.
Has anyone an idea what kind of misconfiguration we did here?
Thx in advances for any tips !
Gerard
This thread was automatically locked due to age.