Wireless Access

Hi there

 

A couple of years ago our ex-third line support company came in and installed a 5406zl Core switch with the above mentioned MSM765zl wireless controller included.  It turned out that the company didn't know how to setup the wireless controller and after couple of botched attempts on their part and some lucky tinkering on ours we managed to get it to work to a certain degree. 

 

VLANs 61 (Guest), 62 (Staff), 63(Students) currently obtain their IP addresses from our main DHCP server.

• VLAN 61 go straight out of the internet via our core switch and firewall.
• VLAN 62 has access to the internet and our internal servers/workstations etc.
• VLAN 63 has access to minor internal services and routes to the internet through a proxy server that acts as the gateway.
  
  
  However we would now like to adjust how some of it works, the idea was to leave 62 and 63 as they are but we wanted to take 61 off of our internal LAN as much as possible so we start to adjust the settings.
  We gave the internet port an IP of 61.1 as was suggested in another thread I found about configuring the controller, the internet port was untagged through the 5406zl to VLAN 61.  We setup an IP on our Firewall for outbound internet access (61.7).
  
  The Lan Port is tagged to 61, 62, 63 and the management VLAN.  We then tested out a global DHCP on the Management VLAN and that assigned addresses, so we then added DHCP to our Wireless-Guest (61) VSC, turned on the Access-Control/Authentication, the HTML login page and attached the Wireless-Guest 61 VLAN.  Laptops connecting to the right SSID can gain an IP address and ping the gateway (61.1), they can also login to the HTML page but once they have passed that there is no internet access.
  
  The controller cannot ping the firewall/gateway (61.7) or any external sites, in our attempt to remedy this I set up a default route on the 5406zl for 61 traffic to go to 61.7 (the firewall) but still nothing.
  
  I'm sure there are a great many things that I am missing in relation to the set up of this but after going through a couple of different manuals and "fiddling" I haven't been able to get it to work.  One thing I did read was that you shouldn't have the same VLAN on both the Internet Port and LAN port, could someone confirm this?
  
  Thanks for any help you can offer

Howdy,
Shouldn't your wireless guests get the firewall on 61.7 as their default-gateway as part of their DHCP ?

You should only need VLAN 61 on your WAN/Internet side as the traffic from your AP's should be encapsulated until it breaks-out through teh controller and egresses through the WAN port.
Your firewall probably drops ICMP hence no pings - try and telnet from a command line to a port that you do know is open like 53 (for DNS). have a look at traceroute and see which route your packets are actually taking.

Hope that Helps
Ian

Thanks for the response.

 

Our firewall does respond to pings internally, if I put a PC on to the same subnet and ping I get normal responses.  I'll give it a shot with your suggestion though I think I may have tried it already during the 'Why isn't this thing working, lets try doing this' stage  ;-)

 

Great joke by the way

Unfortunately changing the firewall IP to be the gateway didn't make any headway, would you agree that I should be able to ping an external IP address from the MSM765zl itself, say the google.com address if things are set up correctly?

 

 

Thanks again

OK,
Back to basiscs part 1 - does a "wired" client in VLAN 61 (simple access port untagged VLAN61) route back and forth onto the internet if its gateway is the firewall ?

Back to basiscs part 2 - can you disable any "wireless isolation" type configuration for that particular VSC.

As regards the routing out onto the internet - it depends what the MSM has as it's default gateway in the local routing table to determine which interface the traffic will egress the controller. Its not a bad test but maybe isn't representative of the route that a clients traffic would take.
HTH
Ian

Having the same issue here.

We have a MSM765zl module also, but we have our Guest Access Setup through the LAN Port.

LAN Port is assigned the address: 172.16.91.252 / 255.255.255.0

DHCP Setup on Controller:
1st IP: 172.16.91.1
Last IP: 172.16.91.200
Gateway: 172.16.91.250
DNS: 172.16.91.252

Internet Port: tagged with VLAN50 (Guest VLAN)
LAN Port: untagged with VLAN50 (Guest VLAN)

We have successfully pinged the firewall and outside world on a WIRED connection untagged as VLAN50. Browsing worked 100% as well and we just need to lock down the black/whitelist of URLs.

Having said that, after accessing our Guest Network from a WIRELESS machine and receiving an IP Address (eg. 172.16.91.15/24) we CANNOT ping the firewall and/or outside world.

Our Guest VSC:
Access Control: Enabled
Wifi Protection: NONE (until we get it working)
VSC Egress Mapping: Guest Access (VLAN50)
Address Allocation via MSM765 DHCP

I am going to cruise through some of the Implementation Guides again to see what I can come up with, but any insight would be great :)

Cheers,
Tim

When you say 'wireless isolation', do you mean the access control?

 

Annoyingly we had to change the configuration a little bit since I first posted the message.  Instead of the internet gateway being the firewall on 61.7 it is now the core HP switch which the MSM765 plugs into (61.29) that is the gateway.  Currently a wired client cannot route back and forth to the internet.  Scratch that the wired PC I was using was being useless, wired clients can ping the Firewall and 8.8.8.8 (Google DNS).

 

As another aside, should I be able to ping the internet address of the MSM765 from the Core switch?  I would have thought I should be able to but it doesn't work.

 

 

Thanks again and sorry for the delayed response.

Are you till facing this issue ?

 

1st I have noticed that both internet and lan ports are part of vlan 61, please remove the lan port from this vlan at all.

 

2nd, make sure the default route in the controller is pointing to the ip of the firewall ( if it is the next hop IP address).

 

3rd, are you using NAT on the internet port or not ? if not then the firewall needs to have a route back to the internal guest network inside the controller, if NAT is enabled then the traffic coming from the GUESTS will be terminated on the controller and then NATed to the internet using the controller's Internet IP.

 

Think about the Controller's ports as routed ports, what goes from LAN will be routed out of the INTERNET port so proper routing or NATING should be done.