Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 27 subscribers
  • Views 2183 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Violation Firewall on traffic from LAN zone to WiFi zone

apijnappels

Okay, I have something strange that I don't seem to get.

I have my normal LAN zone with my Internal Network range. In this zone I have an AP55C access point and the access point in turn has a Wireless network in a separate zone (called WiFi).

I needed to enable traffic from LAN to WiFi zone, so I created a firewall rule:

However, no traffic is hitting this rule. I have checked and double checked zones and networks.

The LAN zone can ping the Firewall address of the WiFi zone. Wifi zone can browse the internet through the XG and all hosts have the XG as their default gateway.

In a packet trace from I see the following information coming back over and over, I try to telnet from the LAN zone client to the WiFi zone client on port 4747 since a service is listening there.

2021-01-07 11:28:40
Port1
wlnet1
IPv4
172.16.16.100
10.20.30.11
TCP
54231,4747
0
0
Violation
Firewall
No policy
No policy
SYN_SENT
2021-01-07 11:28:40
Port1
IPv4
172.16.16.100
10.20.30.11
TCP
54231,4747
0
0
Incoming
No policy
No policy
NONE

There is always 0B in and 0B out on this firewall rule.

I have changed the rule to explicitly allow from LAN any to Wifi any but it doesn't make a difference. Only when I change the rule to Destination any/any then I start to see the byte count increase (because the rule is high in the chain it then captures all internet traffic from WAN), however still the same packet trace with Violation and not possible to send any traffic from LAN to WiFi zone.

Am I overseeing something, or do I need to make some routing changes in the advanced shell for this to work?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    A lot of information is shown. I think this is a line that is about the traffic that is dropped and shouldn't have...

    2021-01-07 19:11:52 0101021 IP 172.16.16.100.50412 > 10.20.30.11.4747 : proto TC P: S 1759223807:1759223807(0) win 64240 checksum : 44857
    0x0000: 4500 0034 68e3 4000 7f06 ae4d ac10 1064 E..4h.@....M...d
    0x0010: 0a14 1e0b c4ec 128b 68db 9fff 0000 0000 ........h.......
    0x0020: 8002 faf0 af39 0000 0204 05b4 0103 0308 .....9..........
    0x0030: 0101 0402 ....
    Date=2021-01-07 Time=19:11:52 log_id=0101021 log_type=Firewall log_component=Fir ewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_ dev=Port1 out_dev=wlnet1 inzone_id=1 outzone_id=0 source_mac=e8:d8:d1:aa:6a:1d d est_mac=ac:22:0b:4f:3d:41 bridge_name= l3_protocol=IPv4 source_ip=172.16.16.100 dest_ip=10.20.30.11 l4_protocol=TCP source_port=50412 dest_port=4747 fw_rule_id= 0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_ id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_f ilter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 conni d=1531697728 masterid=0 status=256 state=1, flag0=755916341248 flags1=3435973836 8 pbdid_dir0=0 pbrid_dir1=0