This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

strange hotspot behavior sg330 utm 9.510-5

Hi Community,

 

we have a sg330 with utm 9.510-5 and startet half a year ago with wireless protection.

AP hardware is all sophos (2x AP 55 + 1 x AP100 and more APs are palnned for the future).

Different WLANs (SSIDs) wer configured for bridge mode (bridged to internal LAN) and associated to the APs an everything works fine.

A few days ago, we tried to start with hotspot configuration after preparing with the recommendations an tutorials (also here in the utm forum) to do that right.

After it didnt work with the predefinde wireless guest network on the virual interface wlan0, we deleted the configuration and startet right from the scratch.

We defined a (sepreated zone interface named HotspotHWS) based on Interface wlan3 (which was offered, when we choosed the interface type ethernet vlan - later on, when the interface was created, we switched from ethernet vlan to ethernet because we didnt want to have tagged frames cause we have no VLANS defined on our switches).

Then defined a hotspot (voucher type) an executed all steps of a hotspot configuration

- Separate Zone Interface adding to the Hotspot 
- Separate Zone Network is added to the allowed DNS Networks  
-  DHCP Service configuration for the seperate zone network (172.30.100.0/24, Standard Gateway (= IP-Address of the virtual wlan3 interface) = 172.30.100.1 
- Masquerading of the seperated zone network IPs  to the external (WAN-side) interface
- Firewall rule to allow the seperated zone network any Services to the target Internet (not to any, as suggested in this forum by user BAlfson

The results are the following strange behavior of the connected clients (I tested it out with different clients like android tablets, sony smartphones, windows notebokks etc.):

Hotspot functionality like login page (if on tries first to browse an http site rather than a https site for the known reasons), authentication etc. is all fine,

but the problems arise, when the user wants to browse to websites.

Strange is, that ping, traceroute etc. works fine and also even streaming youtube videos (udp traffic?) goes very fluently.

But browsing on nearly any website (no matter whether http oder https) stucks and run into a timeout. The only exception is wikipedia text pages.

When i follow a further link on a wikipedia page to an external site, then the connection stucks again. For test purposes I disabled webfiltering completely.

After checking the firewall reports I noticed hundreds of default drops  of type 60001 (input queue) when the client (rsp IP 172.30.100.55) sends a packet to his gateway

172.30.100.1 (the IP of the virtual interface wlan3). That would mean that the access of a host to its own gateway - a very common kiond of communication - is default dropped ?!

Beside the hundreds of drops of type 60001 there are a (very) few other default-drops of the 6000x numberd types like 60002, 60003 and 60004.

Has anyone an idea what kind of misconfiguration we did here?

Thx in advances for any tips !

 

Gerard



This thread was automatically locked due to age.
Parents
  • All of those pictures look correct, Gerard, so this must be an issue with the way the devices are configured and/or Web Filtering.  Make sure the devices aren't configured to 'Automatically detect settings', i.e., to use the proxy if one is available.  If that doesn't resolve your issue, show us one of the 60001 drop lines from the Firewall log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I've webfiltering deacvtivated for first focussing on troubleshooting the problem without

    webfiltering. When I turn webfiltering on, there is no communication (even udp streaming traffic) at all.

    So I would like to do webfiltering configuration for the guest-network later on according to the recommendations

    in "Configure HTTP-Proxy for a network of guests" after the actual problem is cleared.

     

    Meanwhile I've found an older thread (2015) in the german forum called

    "Sehr langsames WLAN" where a MTU setting of 1450 on the wlan Interface solved the problem.

    I tried that out and nearly all websites (http an https) that stucked before ore ran into a timeout  can be browsed fluently now.

    Until now I've discovered only 1 Site that does not came up. It is the site of the paragliding club I am a member of

    (joomla site with php script as a start page https://www.gleitschirmclub-kraichtal.de/index.php). When I am connected

    in a bridged (to internal Network) WLAN i can browse the page without problems.

    So from a naive point of view the problem seems to have to do with MTU setting but perhaps this aspect is only a symptom of

    a deeper lying technical issue ?

     

    Next I (maybe not today cause of lack of time) will switch the MTU of the wlan3 Interface setting to 1500 to provocate the error situation again

    and an appropriate firewall log file that reflects the situation an send the concerning lines here.

     

    Cheers - Gerard

     

  • I think you found the solution, Gerard.  The blocks in he Firewall log would be a symptom of bad communication caused by an MTU issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I think you found the solution, Gerard.  The blocks in he Firewall log would be a symptom of bad communication caused by an MTU issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • PROBLEM SOLVED !

    Here a screenshot of 2 firewall logfile lines with virtual WLAN Interface wlan3 (Hotspot Interface) MTU Value of 1500 Bytes.

    These are only 2 of hundreds of similar defaultrops concerning the same connection (between a hotspot client and its gateway).

    Meanwhile I've figured out a clean and functioning configuration with MTU= 1500 for the hotspot interface. Alle websites without

    exception can be browsed now. The cause for all the former trouble was presumably a wrong MTU value of 1518 on the internal LAN Interface

    which is involved in the hotspot communication so far that the tunneling of the seperated zone network traffic goes to the internal LAN interface.

    Don't know how why this didn't cause trouble before the hotspot installation and from where this MTU=1518 setting originally came.

    Could explain why short packages (like google search query results an wikipedia sites) could be browsed whereas sites with large startpages (with lots of pictures etc.) which need fragmentation, stucked.

    Nevertheless I have a good configuration now with both MTU Values set to 1500 (as all other interfaces on our sg330  too) that even functions like a charm with webprotection enabled.

    Thanks to the community and especially to Bob for helping.

     

    Cheers and a nice weekend - Gerard