Can't get Internet on Guest Wifi

  • 1
  • Question
  • Updated 1 year ago
hi,
i have one AP230 6.5r5
i have two SSID, one for pro and one for guest client.

the pro SSID is ok, i have a IP address for the same range as my wired network.

i created a VLAN-GUEST for my second SSID, i have a range in 192.168.10.x, it's ok

first problem : when client connect to it, they have a ip address in the right range but not internet acces.

Second problem : ap230 can ping the client with 192.168.10.x address but the client can't ping the AP230.

this is the first time that i use the hive manager.
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
First problem - check firewall settings on the network policy itself. You may need to permit the specified range.

Second Problem - check the 'default traffic settings' to see if ICMP is enabled. 
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes

i set these settings for the firewall but same problem.

where i can check the default traffic settings ? 
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Look under 'additional settings' on your network policy. And modify 'default-serv-filter'.
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
i check "enable ping" but same problem, Guest-client don't have internet access.
i check some topics but i don't found solution ...
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
other solutions ?
Photo of Lionel

Lionel

  • 10 Posts
  • 2 Reply Likes
i suggest to check the points below

- it works without the FW
(Edited)
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
Yes, my client obtains an ip address in the right range, 192.168.10.0.
no, it's doesn't work without FW
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
I notice that my client's gateway is 192.168.10.2 as set in the configuration but AP can't ping this gateway. maybe the reason of my pb
Photo of Lionel

Lionel

  • 10 Posts
  • 2 Reply Likes
a schema of your lan may help to understand your architecture. if it doest not work even without FW an the clients have IP address it could be:
- routing issue with your guest subnet
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
it's possible to create route with hivemanager NG or need SSH connexion?
Photo of Lionel

Lionel

  • 10 Posts
  • 2 Reply Likes
For me the issue is not at the AP level as the client can Ping the AP and the GW?
you must have a look at the router side.

just to know it's an Aerohive AP which has the role of DHCP for the guest subnet?
(Edited)
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
AP can ping client but not GW
Client can't ping AP and GW
(Edited)
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
Yes, AP have the role of DHCP for guest subnet
Photo of Lionel

Lionel

  • 10 Posts
  • 2 Reply Likes
can you please shows a printscreen of you dhcp setup?
if nat is activated you need to add a nat rule in the FW policy in your user profile
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
This sounds like a router or switch problem. Is the port the AP plugged into trunked for the Guest VLAN? If the AP cannot ping the gateway of the Guest VLAN, then a client certainly wouldn't be able to either.
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
here is a printscreen of dhcp setup
Photo of Lionel

Lionel

  • 10 Posts
  • 2 Reply Likes
create an ip fw policy like below in the user profil of your guest SSID and test it.

(Edited)
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
yes, it's work thank you.
but one more thing, client in guest network can ping my server in pro network ...
I add this rule in FW  
Photo of Lionel

Lionel

  • 10 Posts
  • 2 Reply Likes
ok good.
Be aware that when you activate the nat option, the IP address of your guest subnet is nat with the ip of the  AP interface mgt0. we can proceed like this if we want to have a separate subnet for guest and we don't have a lan supporting multi vlan / trunk.
Photo of ADCO-COUR

ADCO-COUR

  • 12 Posts
  • 0 Reply Likes
Ok , so how i can proced to have two separate network ?
Photo of Lionel

Lionel

  • 10 Posts
  • 2 Reply Likes
you must do segmentation using 802.1q, by having a switch supporting vlan and a router with sup interface for vlan 3 that you will use as default gateway in your dhcp config. it's an example of manner to do it.
It's more related to wired lan setup. so not sure if here is the right place to talk about it.
(Edited)