Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 27 subscribers
  • Views 2183 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Violation Firewall on traffic from LAN zone to WiFi zone

apijnappels

Okay, I have something strange that I don't seem to get.

I have my normal LAN zone with my Internal Network range. In this zone I have an AP55C access point and the access point in turn has a Wireless network in a separate zone (called WiFi).

I needed to enable traffic from LAN to WiFi zone, so I created a firewall rule:

However, no traffic is hitting this rule. I have checked and double checked zones and networks.

The LAN zone can ping the Firewall address of the WiFi zone. Wifi zone can browse the internet through the XG and all hosts have the XG as their default gateway.

In a packet trace from I see the following information coming back over and over, I try to telnet from the LAN zone client to the WiFi zone client on port 4747 since a service is listening there.

2021-01-07 11:28:40
Port1
wlnet1
IPv4
172.16.16.100
10.20.30.11
TCP
54231,4747
0
0
Violation
Firewall
No policy
No policy
SYN_SENT
2021-01-07 11:28:40
Port1
IPv4
172.16.16.100
10.20.30.11
TCP
54231,4747
0
0
Incoming
No policy
No policy
NONE

There is always 0B in and 0B out on this firewall rule.

I have changed the rule to explicitly allow from LAN any to Wifi any but it doesn't make a difference. Only when I change the rule to Destination any/any then I start to see the byte count increase (because the rule is high in the chain it then captures all internet traffic from WAN), however still the same packet trace with Violation and not possible to send any traffic from LAN to WiFi zone.

Am I overseeing something, or do I need to make some routing changes in the advanced shell for this to work?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Can you please show us the wireless network configuration and network definition for both the Internal LAN network and wireless network? 

    Thanks,

  • 0 in reply to FormerMember

    wireless network config

    LAN definition

    I'm not sure what more you need to see from the wireless network, because both the wireless network as well as the wlnet1 interface are exactly the "same screenshot".

  • 0 in reply to apijnappels

    Those issues could occur, if we are talking about multiple duplicated networks. Could you doublecheck, that your wireless network range is not used on the XG somewhere else? Also is there a interface with 172.16.16.16? 

  • 0 in reply to LuCar Toni

    Maybe this is the definitions that H_Patel was requesting.

    As an answer to , yes I am certain that those ranges are only used once. 172.16.16.16 is the interface address of Port1 (the normal LAN interface).

    Is there a command or place where I can find the complete routing table of XG so I can also check there if there's something strange?

  • 0 in reply to apijnappels

    Can you check on the Console the drop packet capture? 

    use advanced shell and check for drppkt 

  • 0 in reply to LuCar Toni

    A lot of information is shown. I think this is a line that is about the traffic that is dropped and shouldn't have...

    2021-01-07 19:11:52 0101021 IP 172.16.16.100.50412 > 10.20.30.11.4747 : proto TC P: S 1759223807:1759223807(0) win 64240 checksum : 44857
    0x0000: 4500 0034 68e3 4000 7f06 ae4d ac10 1064 E..4h.@....M...d
    0x0010: 0a14 1e0b c4ec 128b 68db 9fff 0000 0000 ........h.......
    0x0020: 8002 faf0 af39 0000 0204 05b4 0103 0308 .....9..........
    0x0030: 0101 0402 ....
    Date=2021-01-07 Time=19:11:52 log_id=0101021 log_type=Firewall log_component=Fir ewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_ dev=Port1 out_dev=wlnet1 inzone_id=1 outzone_id=0 source_mac=e8:d8:d1:aa:6a:1d d est_mac=ac:22:0b:4f:3d:41 bridge_name= l3_protocol=IPv4 source_ip=172.16.16.100 dest_ip=10.20.30.11 l4_protocol=TCP source_port=50412 dest_port=4747 fw_rule_id= 0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_ id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_f ilter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 conni d=1531697728 masterid=0 status=256 state=1, flag0=755916341248 flags1=3435973836 8 pbdid_dir0=0 pbrid_dir1=0

  • 0 in reply to apijnappels

    And here's the routing table (route command from advanced shell). Not too long and 10.20.30.0/24 is not overlapping with others or being used more than once.

  • 0 in reply to apijnappels

    It indicates, your firewall rule does not match. Double check the objects and the Zones your are using.

    In fact you could delete this firewall rule and create a new one, check if this one is matching. It looks like the firewall broke somehow. 

  • FormerMember
    0 FormerMember in reply to apijnappels

    Hi ,

    Are you able to ping the wireless network from the firewall? 

    Thanks,

Reply Children
  • 0 in reply to FormerMember

    Hi 

    Yes, I can ping the specific address from the XG diagnostics page

    And as 's question about the firewall rule, I just created a new rule as the very first rule with LAN/WiFi zones any source to LAN/WiFi zone any destination allow but that also doesn't work and gets no traffic...

    So to recap; networks are unique, non-overlapping in route table, XG can ping the specified host, LAN host cannot get through somehow, not with ping, not with the port number needed.

    EDIT: Just created a new wireless network bridged to LAN as a test and in that network the clients can communicate to each other. This is however not the intended solution, since I want to make sure that the wireless network stays in its own separate zone.



    added information on bridged wireless network.
    [edited by: apijnappels at 8:26 AM (GMT -8) on 8 Jan 2021]
  • 0 in reply to apijnappels

    Personally i believe, this is actually an issue with the zone/Separate zone interface itself. 

    Thats the reason, the firewall rule is not hitting. 

    Do you have a firewall rule, WiFi to WAN and does this rule work? 

    Could you create a new zone called Wireless and attach this to this interface? 

  • 0 in reply to LuCar Toni

    I do have a rule WiFi to WAN and it does work (traffic numbers are steadily increasing) and the specified wireless client 10.20.30.11 does have internet access.

    I did create a new zone Wireless and put wlnet1 in there. Created a fw rule for it in both directions but still no traffic is hitting this rule. 

  • 0 in reply to apijnappels

    Could you share a screenshot of your current Interface webadmin? 

    What about a firewall rule, wireless to ANY. Can you ping the client then? 

  • 0 in reply to LuCar Toni

    Do you mean this screenshot or something else?

    For test I created a fw-rule any/any -> any/any allow but still not able to ping from LAN computer to Wireless client. 

  • 0 in reply to apijnappels

    Do you have a SD-WAN PBR Route in place? Is there any? 

    Actually i am just guessing, because the firewall rule should hit. The drop packet capture indicates, it knows both interfaces (wlan and lan) but the firewall rule seems not to hit at all. 

    Maybe you could create a tcpdump on the advanced shell, checking if those packets arrive at those states. But this should still be the case and hit the firewall anyways.

    Just wondering: If you create a new rule (for example LAN to WAN --> Clone your rule above), does this new rule catch the traffic?

    It might be the case, that your framework is broken and all new rules are not getting pushed? There was a very old bug, which could lead to this Symptome. 

    After creating the rules, check the /log/firewall_rule.log 

  • 0 in reply to LuCar Toni

    The new rule (top rule LAN/any to Wireless/any) does not increase counters, stay at 0b.

    Here's output of TCPDUMP

    SFVH_SO01_SFOS 18.0.4 MR-4# tcpdump -ni any host 10.20.30.11 and port 4747
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    13:31:16.069465 Port1, IN: IP 172.16.16.100.59180 > 10.20.30.11.4747: Flags [S], seq 3351684537, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    13:31:17.071684 Port1, IN: IP 172.16.16.100.59180 > 10.20.30.11.4747: Flags [S], seq 3351684537, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    13:31:19.080490 Port1, IN: IP 172.16.16.100.59180 > 10.20.30.11.4747: Flags [S], seq 3351684537, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    13:31:23.089109 Port1, IN: IP 172.16.16.100.59180 > 10.20.30.11.4747: Flags [S], seq 3351684537, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    13:31:31.097611 Port1, IN: IP 172.16.16.100.59180 > 10.20.30.11.4747: Flags [S], seq 3351684537, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

    PS, no SD-WAN PBR routes configured

    EDIT: here's the difference in pinging from a LAN host to the wireless host (first 4 packets) and from the XG to the same host.

    SFVH_SO01_SFOS 18.0.4 MR-4# tcpdump -ni any host 10.20.30.11 and icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    13:44:10.157900 Port1, IN: IP 172.16.16.100 > 10.20.30.11: ICMP echo request, id 1, seq 1768, length 40
    13:44:14.738554 Port1, IN: IP 172.16.16.100 > 10.20.30.11: ICMP echo request, id 1, seq 1769, length 40
    13:44:19.741589 Port1, IN: IP 172.16.16.100 > 10.20.30.11: ICMP echo request, id 1, seq 1770, length 40
    13:44:24.730530 Port1, IN: IP 172.16.16.100 > 10.20.30.11: ICMP echo request, id 1, seq 1771, length 40
    13:44:45.827329 wlnet1, OUT: IP 10.20.30.1 > 10.20.30.11: ICMP echo request, id 48666, seq 0, length 64
    13:44:45.827338 vxlan3.102, OUT: IP 10.20.30.1 > 10.20.30.11: ICMP echo request, id 48666, seq 0, length 64
    13:44:45.868467 vxlan3, IN: ethertype IPv4, IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 0, length 64
    13:44:45.868467 vxlan3.102, IN: IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 0, length 64
    13:44:45.868467 wlnet1, IN: IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 0, length 64
    13:44:46.827381 wlnet1, OUT: IP 10.20.30.1 > 10.20.30.11: ICMP echo request, id 48666, seq 1, length 64
    13:44:46.827388 vxlan3.102, OUT: IP 10.20.30.1 > 10.20.30.11: ICMP echo request, id 48666, seq 1, length 64
    13:44:46.889810 vxlan3, IN: ethertype IPv4, IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 1, length 64
    13:44:46.889810 vxlan3.102, IN: IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 1, length 64
    13:44:46.889810 wlnet1, IN: IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 1, length 64
    13:44:47.827421 wlnet1, OUT: IP 10.20.30.1 > 10.20.30.11: ICMP echo request, id 48666, seq 2, length 64
    13:44:47.827428 vxlan3.102, OUT: IP 10.20.30.1 > 10.20.30.11: ICMP echo request, id 48666, seq 2, length 64
    13:44:47.927223 vxlan3, IN: ethertype IPv4, IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 2, length 64
    13:44:47.927223 vxlan3.102, IN: IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 2, length 64
    13:44:47.927223 wlnet1, IN: IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 2, length 64
    13:44:48.827475 wlnet1, OUT: IP 10.20.30.1 > 10.20.30.11: ICMP echo request, id 48666, seq 3, length 64
    13:44:48.827483 vxlan3.102, OUT: IP 10.20.30.1 > 10.20.30.11: ICMP echo request, id 48666, seq 3, length 64
    13:44:48.947771 vxlan3, IN: ethertype IPv4, IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 3, length 64
    13:44:48.947771 vxlan3.102, IN: IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 3, length 64
    13:44:48.947771 wlnet1, IN: IP 10.20.30.11 > 10.20.30.1: ICMP echo reply, id 48666, seq 3, length 64

  • FormerMember
    0 FormerMember in reply to apijnappels

    Hi ,

    It could be the port 8472 blocked between the LAN network and wireless network. Is there a switch? How is your wireless and LAN networks connected? 

    If using Separate Zone networks, port 8472 is also required for separate zone communication. 

    Thanks,

  • 0 in reply to apijnappels

    Could you please disable "firewall-acceleration" on console? console> system firewall-acceleration disable

  • 0 in reply to FormerMember
    H_Patel said:

    Hi ,

    It could be the port 8472 blocked between the LAN network and wireless network. Is there a switch? How is your wireless and LAN networks connected? 

    If using Separate Zone networks, port 8472 is also required for separate zone communication. 

    Thanks,

    Sophos AP55C is connected to same switch as workstation and firewall and all in same VLAN, so there shouldn't be anythiing filtered out.