Tuesday, December 17, 2019

Wireless Access Issue

Good morning, all;

First time poster, long time lurker. I have run into an interesting problem, and I wanted to see what some other folks have to say, as my usual Google-fu has only been a little helpful so far.

Internal network with Domain Controller as DNS/DHCP host. We've got a Sophos UTM 9 firewall with a Cisco SG300-52 as our primary switch, currently set to L3 mode. We've got multiple Ubiquiti Access Points in the building, all of which are attached to the internal network normally. We've got three SSIDs set up - two primary ones, one for users, one for guests, with no VLAN tag, and a third one just for our robots on VLAN 3.

On our firewall, we've got a DHCP server set up with it's own interface for VLAN 3. On the switch. we've got all of the AP ports tagging VLAN 3 traffic, native is untagged, everything else is excluded. Figured out that we needed to turn on the relay on the firewall to get internal traffic to the right DHCP server, or else anything trying to connect got confused.

Here's my problem: The confusion is still happening from time to time. I had a user, who normally connects via Ethernet, try to connect to the WiFi but they were continually being told there was no internet, despite being 'connected', and their IP address always ended up as a 169 with no gateway. Even when I assigned a gateway, it failed to connect. The only way I could seem to get it to work was by first having their PC forget the network, reconnect to it, then add a static IP address on the correct subnet to get their network/internet working.

I am positive the issue lies somewhere between the access points and the firewall - specifically, I think the problem lies with the switch port configuration. I was having some issues initially setting it up, but I figured out if I tagged VLAN 3 on the port in question and left the native VLAN untagged, traffic would flow normally. GE41 is a port one of the APs is plugged into, and GE51 is our primary LAN line, allowing all of the VLANs we have configured through it.

Any suggestions would be much appreciated. And if I left out any important information, please ask.

Firewall interface setup: https://imgur.com/ynXGsRq

Firewall VLAN DHCP setup: https://imgur.com/OMPWeSz

Firewall relay setup: https://imgur.com/LgjnDwa

Switch port VLAN settings: https://imgur.com/Qpb3ETz

AP SSID settings: https://imgur.com/7bnqn9k



No comments:

Post a Comment