When you enable the hotspot mode on a interface,
the communication traffic between access points and the ASG itself is also dropped.
This makes it impossible to have a hotspot configured on the same LAN segment, where the APs are connected to - which is normal if you have "bridge to AP LAN" mode for an SSID.
iptables mangle chain "HOTSPOT_CUTOFF_PRE" ist discarding the packets on port 2712 without notification/logging, because of a missing implicit allow rule.
I suggest you you also make the restricteveness of the HOTSPOT_CUTOFF_PRE rules a bit looser. E.g. allow all ports needed for AP-to-ASG communication (2712, 3401 etc.), also RED (3400), and ICMP. At the moment you even cannot ping the central ASG for testing purposes...
Guest User!
You are not Sophos Staff.
