Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 2830 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newly created second "separate zone" wireless network is unable to pass traffic and firewall log indicates Country Blocking

RIMAdministrator

Issue:                    Created a 2nd “separate zone” wireless network, but unable to browse internet and firewall repeatedly reports “country blocked” regardless of website being accessed.

 

I can successfully see new wireless network from devices/laptops, and can successfully connect to the wireless network if the device/laptop is in whitelist. Where the failure seems to be is between the device/laptop and the New Wireless Network’s gateway. I am unable to ping the IP of the gateway. The firewall logs show the devices/laptops being “Country Blocked”, UDP and TCP, for any internet address including the gateway itself. If I disable “Country Blocking”, then I am able to browse the internet from the new wireless network but still unable to ping gateway. Same websites are accessible (no Country Blocking issue) from LAN and other two existing wireless networks, and all can ping respective gateways.

I am sure I have something misconfigured, but cannot locate the problem.

More details below:

 

UTM Model:                      SG230

Wireless Appliance:        AP30

Firmware version:           9.409-9

 

There are 2 existing wireless networks (“employee” bridged to AP LAN, and “guest” separate zone) that are working flawlessly. I needed a second “guest” wireless network. I performed the following:

  1. Created new wireless network (mostly mimicking settings of current guest WiFi), making sure to select Separate Zone, client isolation enabled, and MAC filtering “Whitelist” enabled.
  2. Created appropriate MAC Address Definition group for whitelist.
  3. New “wlan2” interface was created. Made sure IP, netmask etc., was correct.
  4. Created new DHCP pool (making sure IPs were correct, and have DNS1 and GW pointing to same subnet x.x.x .1).
  5. Added firewall rule and turned on:
    1. Source:                 New Wireless Network (network)
    2. Services:              Web Surfing
    3. Destinations:     Any
    4. Allow
    5. Log traffic enabled
  6. Created NAT Masquerading Rule:
    1. Network:             New Wireless Network (network)
    2. Interface:            External (WAN)
    3. Use address:      <<Primary address>>
  7. Added New Wireless Network (network) to DNS Global tab > Allowed Networks.


This thread was automatically locked due to age.
Parents
  • +1

    Unless the new WiFi network should be able to browse to internal devices, you will want 'Destinations' to contain "Internet" instead of the "Any" object.

    What are the first two octets of the DHCP server on that new wlanx NIC, and is it assigning IPs in the range of the Interface defined?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • +1

    Unless the new WiFi network should be able to browse to internal devices, you will want 'Destinations' to contain "Internet" instead of the "Any" object.

    What are the first two octets of the DHCP server on that new wlanx NIC, and is it assigning IPs in the range of the Interface defined?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Thank you again Mr. BAlfson (you helped quite a bit a few years back when I was starting out with Sophos).

    Geeez... I don't know if I need help getting a new pair of glasses, or I just need better sleep.

    I did have firewall destination pointing to internet, but had changed to any for troubleshooting purposes (and forgot to change back).  I don't know why I didn't catch this before, but thank you for pointing me in the right direction..... I meant to use 172.16.33.1/24..... but somewhere along the way I used 176.16.33.1/24.  Cr*p!  that was embarrassing!  But at least it is fixed now, and maybe I can go home and get more sleep.  ;)

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML