Possible Firewall issue - NSA4700
Asif_Iqbal
Newbie ✭
Hello Community,
We have a Guest WIFI SSID that works fine. I am currently testing a POC from Extreme (AP305C-WR). I have setup the AP with the correct VLAN's for the Guest WIFI.
I have obtained an IP from the Guest subnet OK and the correct DNS. However, the Gateway for the subnet is not applying and I have no Internet access.
Could this be blocked by the SW although the rules are in place for the subnet and the original Guest WIFI using the same subnet works fine.
Please see upload picture.
Any pointers or thoughts or how can I can check this is being blocked by the firewall?
Thanks,
Best Answer
-
OptionsCORRECT ANSWER
BWC
Cybersecurity Overlord ✭✭✭
@Asif_Iqbal the drop is just for multicast which can be safely ignored by now. For seeing some ARP requests you might need to clear the caches of the involved equipment or just restart it which should work too.
You might also look for DHCP packets EtherType: IP, IP Type: UDP, Destination Port 67,68 ... this will show you what the DHCP server is sending to the clients ... then export the Packet Monitor into Wireshark and check the DHCP options.
It takes some steps to investigate.
--Michael@BWC
0
Answers
@Asif_Iqbal 10.32.40.10 is the VLAN Interface IP of your SNWL for the Guest WIFI? Ping is enabled in the Interface settings for that? How about the correct subnet mask of scope and interface settings?
--Michael@BWC
@BWC Yes 10.32.40.10 is the VLAN INT on the SNWL for the Guest WIFI and Yes ping is enabled please see below.
DHCP Scope for this subnet is also the same. I'm going around in circles a bit as I cannot seem to work out why the Default Gateway would not work for what is essentially the same subnet and settings.
Thanks,
@Asif_Iqbal you should delete the Default Gateway on that Interface, I can't tell the exact impact but it's not needed.
The DHCP scope on your DHCP server is configured correctly as well?
--Michael@BWC
@BWC Yes put in the DG for testing to see if this made a difference. I'll remove this after testing as this wasn't in originally. DHCP is configured correctly. The original Guest WIFI works fin with no issues - I have just tested the original now and there are no issues.
Only the POC has the Default Gateway ARP issue.
Thanks,
Did you do a Packet-Monitor on Interface X24:V18 to see if there are any drops or ARP requests at all?
--Michael@BWC
@BWC No no packet trace yet. Can you advise how to do this and what options to use please? I tired searching the logs for the subnet IP's and found nothing.
Thanks,
@Asif_Iqbal I would first have a look what's going on at X24:V18, leave everything else on default. Don't forget to start the Packet-Monitor :)
From there you could search for dropped packets or ARP requests, which might get received with a wrong VLAN id etc.
If possible you can explictely trace only ARP, just clear the Interface Name field and use ARP as Ether Type, this will show you any ARP requets, maybe you can find request from your WLAN AP/Controller.
--Michael@BWC
@BWC Much appreciated - I'll kick this off shortly and let you know what I get back.
Thanks,
@BWC Hello Michael, I have done a quick Packet Trace with all fields on Default apart from Interface which is one X24:V18. I can see the IP applied to my device and is dropped with the following message below. Correct VLAN is applied with correct subnet IP.
When I add in ARP to IP Types I do not have any results. However, I do have intermittent Internet access which comes and goes and is not really useable.
Last check for my device is below.
Thanks,