Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 761 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WiFi Hotspot on RED VLAN possible, but...

B|Cyber|Security

This topic was discussed here but I found a way to make it work.
However, this solution causes something else very important to stop working.
The following problem originally exist.

Based on Sophos SFOS 18.5.1 MR-1-Build326
When creating a new hotspot (Wireless / Hotspots / Add), only interfaces directly connected to the firewall can be selected.
Interfaces that sit behind a RED cannot be selected. To make this possible, it is necessary to create a bridge, described in KB-000035548 (support.sophos.com/.../KB-000035548
Here, the local hotspot / guest interface and the RED interface should be selected as members. Please do not forget to define DHCP.
This bridge can then be selected as an interface for a hotspot.

The whole thing works as intended and desired.

But now comes the but. If you also use an HA cluster, the problems arise. The cluster fails in an HA failover.
The cluster members are for a time period of 5-10 minutes not reachable, after the new "primary" member firewall is reachable its in failsafe mode. Only a complete turn off and on again causes the member firewall to work normally.
This means that an automatic HA function is no longer possible. Previous analysis suggests that the NAT rule for the created hotspot causes this problem.

Does anyone have similar experiences or even a solution?



This thread was automatically locked due to age.
Parents
  • 0

    What type of RED it this? 50 or 60?

    Any chance to test this with a 18.0. MR6? Thinking of NC-70783 which is only fixed in MR6 not in 18.5.x. An issue we had with a RED60 in Bridge mode. and your issues "The cluster fails in an HA failover. The cluster members are for a time period of 5-10 minutes not reachable, after the new "primary" member firewall is reachable its in failsafe mode. Only a complete turn off and on again causes the member firewall to work normally." sound  well known to me. Is it possible that the issue start with the click on the safe button in the RED config?

  • 0 in reply to LHerzog

    Hello LHerzog,

    its a RED50

    No, V18 is actually no option. And no, save button didnt start the problem. We trigger the failover manually, i.e. we simply switch off the primary box.

    regards,

  • 0 in reply to B|Cyber|Security

    Hi,

    NC-70783 is for an issue when saving the RED configuration and it only affects the GUI no internet connectivity.

    This in mostly true but in our case, saving a RED50 or 60 sometimes caused exactly the same issues as described by . The GUI went unresponsive afterwards everytime.

    When we received the fix, all the issues we had were gone. (btw. were on 18.0 MR5 and got a pre-fix from Support which is only included in MR6)

    Please test, if you can recreate the issue by saving a RED without changing something (just click save on the RED, not the Bridge) and report back to us..

Reply
  • 0 in reply to B|Cyber|Security

    Hi,

    NC-70783 is for an issue when saving the RED configuration and it only affects the GUI no internet connectivity.

    This in mostly true but in our case, saving a RED50 or 60 sometimes caused exactly the same issues as described by . The GUI went unresponsive afterwards everytime.

    When we received the fix, all the issues we had were gone. (btw. were on 18.0 MR5 and got a pre-fix from Support which is only included in MR6)

    Please test, if you can recreate the issue by saving a RED without changing something (just click save on the RED, not the Bridge) and report back to us..

Children
No Data