Guest Access problem

  • 2
  • Question
  • Updated 5 years ago
  • Answered
Hello,

I work in Belgium, and we use AP320 and 330 for internet network access and Guest access.

Here is a summary of our Guest access :

A few AP 320/330 installed in the the LAN network with a ssid for internal network and a ssid for Guest access
An AP in the DMZ zone
A firewall (and of course switches) between the local AP and the DMZ AP and between the DMZ AP and the router internet.
A user profile defined for the Guest SSID with a VLAN (applied on all the AP)
A DHCP external (at the firewall) : no tag defined on the DMZ AP.

Problem :
A client do not received IP address from DHCP server (firewall) from LAN Access point
A client received IP addres from DMZ AP
I do not find the reasons. Have you perhaps idea ?
1) Is it a GRE tunnel problem : which ports to open on the firewall between the LAN AP and the DZM for the GRE to work ?
I see that GRE use protocol 47 IP and UDP , is it all ? Perhaps the firewall blocks ?
Is there keepalive for GRE tunnel ?
2) Does the DMZ AP send packet tagged to the firewall (VLAN guest wifi) from my local AP ? : I only define user profile

Thanks,
Regards,

Dominique
Photo of Dom

Dom

  • 23 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 2
Photo of David Coleman

David Coleman, Official Rep

  • 209 Posts
  • 164 Reply Likes
IP port 47 must pass the General Routing Encapsulation (GRE) protocol. GRE is a encapsulation protocol and does not use use TCP/UDP ports... therfore it is not NAT-transversal and maybe that is the issue with your firewall?

Not exactly sure how you are designing this. The WI-Fi client should be getting an IP address from the DMZ. Setting up the DMZ AP as a DHCP server to handout IP addresses from a VLAN that only resides in the DMZ works fine.

Have you also confirmed that the GRE tinnel is up ?

Untilities-> Diagnostics -> Show GRE tunnel
Photo of Dom

Dom

  • 23 Posts
  • 0 Reply Likes
Hello,

Thanks for your answer.
I will check the logs on the firewall if the IP port 47 is blocked.
I have opened the ports UDP 3000 and 3002 : is it necessary for GRE tunnel ?
Perhaps it is the keepalive ?
On the LAN AP, I see the GRE tunnel opened , but I am not sure it lasts because the clients wifi (client monitor) tries to do DHCP discover without answer.

For the disign : the Firewall acts as DHCP server and is connected to a port switch configured with VLAN 10 (example VLAN for the guest access), the DMZ AP is connected to another port of the switch with a native VLAN (for the management) and VLAN 10 (for guest access).
My question : when a guest client connects to a LAN AP (configured with a guest SSID with open authentication (with CWP) with a user profile configured with the GRE Tunnel to the DMZ AP and the VLAN10) , after a GRE tunnel is established , are the DHCP packets (discover, request, ...) tagged (with VLAN 10) from the DMZ AP (configured also with the same guest SSID with a user profile configured with the GRE Tunnel and the VLAN10) to the switch ?

Thanks
Regards,

Dominique