This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wifi Protection behind RED Tunnel / Bridge

We have a new office with an XGS 2100 which is connected to our central UTM SG via RED. We have created a bridge on both sides for the office LAN and multiple WiFi networks. All traffic is routed via the central UTM. (UTM is default gateway) Our WiFi access points are managed via the central UTM, too. Wifi protection is disabled at the XGS. The Access Points in the new office do not appear in the UTM's AP list. I can successfully open a connection to the UTM (via default gateway IP) using port 2712. However I cannot connect to 1.2.3.4 on port 2712. I captured the traffic of one of the APs and found out, that des XGS 's firewall is dropping the packets to 1.2.3.4. (reason is violation) I already have a firewall rule in place which allows all traffic. Has anyone an idea how I can make the XGS allow these packets?

This thread was automatically locked due to age.

0 LHerzog over 3 years ago

probably, the XGS is dropping it because of the service not enabled here. As this is one of the built-in IP, I'm not sure if it is possible to NAT the traffic to the upstream UTM but I believe this needs to be done. Hope, someone can confirm this.

Is the IP 1.2.3.4 included of the IPSec (?) Tunnel between XGS and UTM?
Cancel
Vote Up 0 Vote Down

Cancel
0 Jan Gatzke over 3 years ago in reply to LHerzog

Thanks for your quick reply! I have activated WiFi Protection under device access, but the connection is still being dropped.

I have tried to DNAT the 1.2.3.4 to the UTM already, but that did not work either.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 3 years ago in reply to Jan Gatzke

The Out Interface looks good - and as you don't have Local ACL but firewall, I think there is an issue with the source- or destination zone in that rule.

Can you double check that?

Can you test the connection to 1.2.3.4 on port 2712 on the XG console by telnet 2712? Does it go out to the correct interface?
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 3 years ago in reply to LHerzog

if already on the console,

from advanced shell get the result of

drppkt port 2712
Cancel
Vote Up 0 Vote Down

Cancel
0 Jan Gatzke over 3 years ago in reply to LHerzog

As the XGS is not used as firewall at all but only for encryption (the RED tunnel is using another company's infrastructure) I have created a rule that includes only any. Any source, any destination, any zones. The packet filtering is done at the UTM only.
Cancel
Vote Up 0 Vote Down

Cancel