Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 592 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cant access internet through a browser on my separate zone wifi network with APX320 through my RED 060 (works fine inside the XGS320)

Jose FERNANDES

Hello.

I have created 1 wifi network bridge to lan and 3 wifi networks on separate zone.

All wifi networks operate just fine for as long as my APX320 are connected on the LAN of the XGS2300.

On my RED 60 i can access the internet through my bridged to lan wifi network but not through my other separate zone wifi networks.

I went through rules and policies in order to enable as follows but it doesnt work : 

Would you give me an hint on why it is not working ?

Wireless protection is enabled.

DHCP and DNS dont seem to be the problem since the connections work while connected to the XGS.

I am missing something related to the RED.

Also, i can ping google name or 8.8.8.8 but cant access through an browser

Best regards,

JF



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Thank you for reaching out to the community, please refer the doc - Create a wireless network as a separate zone.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hello  ,

    Thank you for your reply.

    Sadly for me, your reply doesn't solve my problem as I have already read that article/doc.

    The only difference is that in my screenshot of the "firewall policies" I sent one without the zone "Wifi" as I was testing if "RED" should be the only one declared.

    Let me repeat that my wifi networks can browse and access the internet while behind the XGS but not when they are behind the RED.

    And this only for the separate zone wifi networks.

    Thanks and best regards,

    JF

  • 0 in reply to Jose FERNANDES

       thank you for the clarification again, May I know in which zone is your RED is defined ?
    And may I also know in which mode you have deployed your RED ? i.e. Standard/unified, Standard/split or Transparent/split ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Both my RED are on standard/split.

    My RED are declared on a zone named RED.

    My problem being that the members declared in the zone RED are not the ones created by the separate zone of my wifi networks.

    Thus being on the WIFI zone, i added the WIFI zone on my policie but no changes... unless i had to restart my APX which i dont recall if i did.

    Thanks & best regards,

    JF

  • 0 in reply to Jose FERNANDES

    Hey  With the standard/split configurations  All traffic not targeted to the split networks is directly routed to the internet connected on the RED. Only traffic targeted to split networks is redirected to your local firewall

    Is there a rule for WiFi to WAN ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    I only have the ISP router with no other firewal on the local network.

    There is no other rule for Wifi to Wan besides the one on my screenshot : 

    Please let me know if I answered correctly to your answer. I may have not understood otherwise.

    Thanks & best regards,

    JF

  • 0 in reply to Jose FERNANDES

    You have configured your RED in standard/split, right so there must be direct ISP connected to your RED, if you understood the standard/split network if I mis-understood please let me know. And on this current rule have you created a LINKED NAT rule ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thank you for replying, i do understand how the standard/split vs standard/unified works.

    I checked all my NAT rules and I had no "any to any" rule with MASQ on SNAT, plus I had no NAT Rule that was liked.

    After creating the new rule i restarted my APX just in case and tested once again.

    I am still stuck when trying to browse the internet through my separate zone wifi networks.

    Thanks & best regards,

    JF

  • 0 in reply to Jose FERNANDES

    Here is the difference for your understanding between Standard/Unified mode and Standard/Split mode:

    Standard/Unified mode

    This is the most commonly used mode. In this mode, we expect that the remote network will be fully managed by the UTM, through the RED. DHCP may be offered for the remote LAN by the UTM, and the RED may be the only device connecting the LAN to the Internet. While another router may sit in front of the RED, there is not a parallel path around the RED to the internet. 



    Figure 2: RED used in Standard/Unified mode

    Figure 2 illustrates the flow of data in this operational mode. All traffic from the remote LAN will pass through the RED tunnel, whether it is heading for the local LAN, or the Internet. This allows the UTM to allow or deny requests in exactly the same manner as it does for traffic coming from the local LAN. Traffic between local and remote LANs can be blocked or allowed just by using firewall rules on the UTM. Web traffic can be filtered using the web security module, and applications such as Skype or BitTorrent can be controlled for remote LAN users, just as they can be for LAN users. This provides the highest level of security and manageability for remote networks. Its biggest drawback is the increased bandwidth requirements it may place on the UTM’s internet link. Since all internet traffic from the remote LAN also uses internet bandwidth at the UTM, the internet bandwidth at the UTM must be large enough to service requests from both its own local users, and all remote RED users. The RED 10 appliance is capable of tunneling data at up to 30 Mbps.

    In the event that the RED loses contact with the UTM, and the tunnel fails, the RED will fail closed. Remote LAN users will lose access to the internet as well as to the UTM LANs until the tunnel can reconnect.
     

    Standard/Split mode

    Standard/Split mode is physically similar to Standard/Unified mode. We expect that the remote network may be managed by the UTM, and UTM may provide DHCP to the remote LAN. Also, the RED is most likely the only device between the LAN and the internet. However, only traffic for selected networks is sent through the tunnel. All other traffic is sent directly out the local internet connection. The RED will masquerade outbound traffic to come from its public IP address. This minimizes bandwidth usage over the tunnel, and lightens the bandwidth requirements on the UTM, but it also reduces the manageability of the remote network substantially. Traffic to or from the internet cannot be filtered or protected from threats. Security can only be applied between the remote and local LANs.  



    Figure 3: RED used in Standard/Split mode

    In the event that the RED loses contact with the UTM, and the tunnel fails, the RED will fail closed. Remote LAN users will lose access to the internet as well as to the UTM LANs until the tunnel can reconnect.
     
    For the reference you can refer the technical training guide - Sophos UTM: RED (Remote Ethernet Device) technical training guide

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thank you for your reply.

    The problem i encounter applies only to the separate zone wifi networks.

    A wifi network bridged to lan can browse the internet if I stand behind the RED.

    But a wifi network on separate zone cannot browse the internet while behind the RED, it does work while standing behind the XGS.

    I know my problem is not related to the RED since i tested on my 3rd RED which is on standard/unified and I still have the same problem. I didnt refer to this one earlier since I dont wish to install a APX behind that one.

    I am eager to find a solution to this problem.

    It might be just an option i forgot to check.

    I will start all over again and come back If I am still stuck.

    So far, thank you for your patience and help on this matter... I seem to search for a needle on a haystack and you did help me on checking my walkthrough so far.

    Thanks and best regards,

    JF

Unfiltered HTML