I have been fighting with getting an Airvana Airave v2.5 added to my network for a few weeks now. I can get it to connect to the internet but it does not connect to Sprint's servers (per Sprint Cust Serv Reps) when it is behind the UTM. It has 4 lights on the front, the Broadband, GPS, and Network lights are solid green, but the Mobile light is flashing red.
If I connect between my Cable Modem and the Sophos UTM, it comes up completely and works with no issue (all 4 lights solid green and Sprint servers see it). However, I can't place it between my UTM and modem permanently because the Airave kills VPN's that are ran through it, and I must use VPN for my work.
I am trying to have the Airave in a DMZ. I have never done a DMZ before, so I may have missed, or misconfigured, something. I have searched the community, and tried what I found. Any help is welcome.
I am using Sophos UTM v9.409-9.
- I have 3 VLANs coming of my UTM, on a single physical port and going into a NETGEAR GS724Tv4, where they are assigned to separate ports.
- VLAN 153 is dedicated to the Airave and its interface is 203.192.153.1/29.
- The DHCP server (in the UTM) has a range of 203.192.153.2 - 6, with a default gateway of 203.192.153.1, lease time 14400. NTP option is turned on.
- The network is included in the the Networks list for NTP, DNS, Transparent Mode Skip List (both Source and Dest Lists), & App Control Skiplist.
- The network is excluded from the Intrusion Prevention Network list, Web Filtering Network List.
- I have a Host defined for the Airave with its MAC and the first available IP Address of 203.192.153.2.
- Pharming protection is off.
- All three VLANs, can reach the internet fine.
- I have overridden the default MTU (576) from my cable modem and set it to 1528.
After getting 3 completely different lists of required ports from 3 different Sprint CS Reps, I used the nuclear option on the firewall for this DMZ (This is the only device on the network.)
- Source: Any -> Service: Any -> Dest: DMZ & Airave (both are in the list), Allow, Location Top
- Source: DMZ & Airave (both are in the list) -> Service: Any -> Dest: Any, Allow, Location #2
The Airave seems to require ping. And I use a NMS that requires pinging of all monitored devices (I monitor the UTM with SNMP). So, I also added firewall rules
- Source Any -> Service: ping -> Dest: External (WAN) (Address), Drop, Location next to bottom
- Source Any -> Service: ping -> Dest: Internal (Address), Allow, Location bottom
- Global ICMP
- Block ICMP on Gateway
- Allow ICMP through Gateway
- Block ICMP through Gateway from extrenal
- Log ICMP redirects
- Gateway is NOT ping visable
- Ping from gateway
- Gateway forwards ping
I have tested, and I can ping the UTM and internet addresses from my VLANs. But pings from the internet to my WAN are lost.
NAT, I have a Masquerade setup for all three VLANs.
<Vlan Name> (network) -> External(WAN)
DNAT, I set up these rules:
- Any -> port 5060-5061 -> External (WAN) (Address) Dest, Trans: Airave, Service: null, Log initial
- Any -> port 52428 -> External (WAN) (Address) Dest, Trans: Airave, Service: null, Log initial
- Any -> port 4500 -> External (WAN) (Address) Dest, Trans: Airave, Service: null, Log initial
- Any -> port 500 -> External (WAN) (Address) Dest, Trans: Airave, Service: null, Log initia
- Any -> Telnet -> External (WAN) (Address) Dest, Trans: Airave, Service: null, Log initial (I added this one when I saw a bunch of telnet traffic to my WAN, from Sprint Addesses).
I am not seeing drops in my firewall live logs for traffic from the Airave.
I am not seeing drops in the Advanced Threat, Application Control, Intrusion Prevention, or Web Filtering live logs that refers to the unit or its network.
What am I missing?
This thread was automatically locked due to age.
