This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

strange hotspot behavior sg330 utm 9.510-5

Hi Community,

 

we have a sg330 with utm 9.510-5 and startet half a year ago with wireless protection.

AP hardware is all sophos (2x AP 55 + 1 x AP100 and more APs are palnned for the future).

Different WLANs (SSIDs) wer configured for bridge mode (bridged to internal LAN) and associated to the APs an everything works fine.

A few days ago, we tried to start with hotspot configuration after preparing with the recommendations an tutorials (also here in the utm forum) to do that right.

After it didnt work with the predefinde wireless guest network on the virual interface wlan0, we deleted the configuration and startet right from the scratch.

We defined a (sepreated zone interface named HotspotHWS) based on Interface wlan3 (which was offered, when we choosed the interface type ethernet vlan - later on, when the interface was created, we switched from ethernet vlan to ethernet because we didnt want to have tagged frames cause we have no VLANS defined on our switches).

Then defined a hotspot (voucher type) an executed all steps of a hotspot configuration

- Separate Zone Interface adding to the Hotspot 
- Separate Zone Network is added to the allowed DNS Networks  
-  DHCP Service configuration for the seperate zone network (172.30.100.0/24, Standard Gateway (= IP-Address of the virtual wlan3 interface) = 172.30.100.1 
- Masquerading of the seperated zone network IPs  to the external (WAN-side) interface
- Firewall rule to allow the seperated zone network any Services to the target Internet (not to any, as suggested in this forum by user BAlfson

The results are the following strange behavior of the connected clients (I tested it out with different clients like android tablets, sony smartphones, windows notebokks etc.):

Hotspot functionality like login page (if on tries first to browse an http site rather than a https site for the known reasons), authentication etc. is all fine,

but the problems arise, when the user wants to browse to websites.

Strange is, that ping, traceroute etc. works fine and also even streaming youtube videos (udp traffic?) goes very fluently.

But browsing on nearly any website (no matter whether http oder https) stucks and run into a timeout. The only exception is wikipedia text pages.

When i follow a further link on a wikipedia page to an external site, then the connection stucks again. For test purposes I disabled webfiltering completely.

After checking the firewall reports I noticed hundreds of default drops  of type 60001 (input queue) when the client (rsp IP 172.30.100.55) sends a packet to his gateway

172.30.100.1 (the IP of the virtual interface wlan3). That would mean that the access of a host to its own gateway - a very common kiond of communication - is default dropped ?!

Beside the hundreds of drops of type 60001 there are a (very) few other default-drops of the 6000x numberd types like 60002, 60003 and 60004.

Has anyone an idea what kind of misconfiguration we did here?

Thx in advances for any tips !

 

Gerard



This thread was automatically locked due to age.
Parents
  • Hallo Gerard and welcome to the UTM Community!

    Please show pictures of the Edits of the Wireless Network, the Interface, the DHCP server and the Hotspot.

    Cheers - Bob
    PS Since you wrote in English, I'll move this to the Wireless Security forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    sorry for beeing late with the demanded screenshots but I had some work to do

    for budget planning which don't allow any delay.

    I'll post the screenshots tomorrow .

    Meanwhile I played arround with the MTU on the virtual Interface wlan3 (the guest-interface of the hotspot)

    an set the value from the max 1500 down to 1360 (read this value in a post, don't know the technical reason why it is 1360 and not 1400 or any other value lower than 1500). The result was, that a lot of websites, that didn't go before, can be browsed now.

    Perhaps this little detail gives a hint where the problem lies ??

     

    Cheers - Gerard

Reply
  • Hi Bob,

     

    sorry for beeing late with the demanded screenshots but I had some work to do

    for budget planning which don't allow any delay.

    I'll post the screenshots tomorrow .

    Meanwhile I played arround with the MTU on the virtual Interface wlan3 (the guest-interface of the hotspot)

    an set the value from the max 1500 down to 1360 (read this value in a post, don't know the technical reason why it is 1360 and not 1400 or any other value lower than 1500). The result was, that a lot of websites, that didn't go before, can be browsed now.

    Perhaps this little detail gives a hint where the problem lies ??

     

    Cheers - Gerard

Children
No Data