VLAN for Guest Wifi - No internet access

I am asking for a little help from the Watchguard user community. I have a new Watchguard M290 and a few Ubiquiti wireless access points. I would like to setup a VLAN configuration to allow both a public and private wifi network. I have everything working EXCEPT internet access on the public wifi network. I need a pointer to head me in the correct direction.

The trusted network is running on VLAN 1 untagged.
And the public wifi network is running on VLAN 11 tagged.
I have added the public wifi network to the proper firewall policies. (I think.)

Clients on the public wifi network pick up a DHCP IP address and the proper gateway IP address to the Watchguard on the VLAN.

But clients on the public wifi network do not have internet access. When I try to run a ping command to an external IP address, I get the error message "no route to host."

If anyone can help, I would appreciate it. Also, I am sure that I need to provide more information, just let me know and I will do so.

Thanks.

Comments

  • What do you see in Traffic Monitor when this access is tried?
  • Nothing. No entries in Traffic Monitor for the guest wifi VLAN traffic.

  • Could this be a trunk issue - the connection between the switch & the firewall?

    Have you connected this to a firewall interface defined as a VLAN interface?
    If so, have both VLANs been defined on it?
    And has at least one of them been marked as tagged?
    If so, has the tagged VLANs on the switch port which connects to the firewall also been marked as tagged or set as a trunk connection?

  • Also, what is providing the DHCP addrs to the guest wifi VLAN? The firewall?
    If so, then that suggests that that the VLAN connection to it for the guest wifi VLAN is correct, but doesn't explain the connection issue.

    For problem resolution - Add an Any policy From: the guest wifi VLAN To: Any.
    Turn on Logging on it to see entries in Traffic Monitor for packets allowed by this policy.
    Move it to the top of the policy list.
    If you don't have Internet access then, seems like a switch issue.

  • I agree with that. That is an excellent suggestion. I will try it!

  • edited June 4

    Hi, I have the same problem. What was the solution? Can you please provide a hint. I've also configured Guest WiFi in seperate VLAN. Clients are receiving DHCP lease from firewall. DNS servers are configured correctly. Client is able to reach the firewall by ping and the firewall is also able to reach the client. When I take a look at traffic monitor I can see traffic coming from the client in the guest WLAN and nothing is denied but the client still has no internet access. After removing the vlan config everything works fine. I have no clue what the problem could be. Does anyone have any suggestion for me?

  • I found it... the zone of the vlan was set to optional... after setting it to trusted everything was fine... I don't realy understand that, the firewall policy doesn't use the zone as source but the network, so I don't understand why this was the reason... anyway, it works ;-)

  • If you mark your Guest WiFi to trusted, I do not think you are getting the separation of the two networks that you are hoping for. I set up my Guest Wifi as custom.

  • Could be that DNS is not allowed from Optional

  • And I would expect to see deny log messages in Traffic Monitor to help understand what is not being allowed, and thus what policies need to be added/adjusted.

    Note - there are aliases, such as Any-trusted, which would allow traffic from any interface assigned to the Trusted zone, but not any other zones, unless some other zone, VLAN, subnet etc. is also on the From field of that policy

Sign In to comment.