Cannot access internet from Firebox optional network

One of our customers has a Watchguard Firebox Edge x20e-w and they want to give internet access to their customers while they are onsite.

I had initially intended to use the Wireless Guest network on the Firebox, but the area requiring coverage is quite large, so have decided to put in two additional LinkSys wireless access points and connected them to the Opt port on the Firebox via a PoE switch.

Users can connect to the Optional network wirelessly through the LinkSys APs and are receiving DHCP leases from the Firebox BUT they cannot connect to the internet.

In the Firebox log I have many entries as follows:

Jul 8 15:38:41  kernel  deny out eth2 61 udp 20 128 192.168.112.103 192.168.112.1 50851 53 (default)

Where 192.168.112.103 is a client connected wirelessly to the Optional network and 192.168.112.1 is the Optional network interface of the Firebox.

On the Allowed MAC Addresses tab in the Optional Network settings, the box Restrict access by Hardware MAC Address is NOT checked.

Is there a setting somewhere I'm missing?  Internet and BOVPN connections from the Trusted network work fine.
LVL 1
devon-ladAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
As you have firebox X20e-w one of the possible reasons could be that you are running out of user licenses and as a result no user from optional gets on to internet.

In configuration page of Edge, System Status page; under Options; total number of User licenses and usage is listed.

Other things include:
There is no policy which allows access from optional network to internet.
Ensure that the default outgoing policy is enabled and has from configured from ANY.

Please check and update.

Thank you.
0
devon-ladAuthor Commented:
Plenty of user licences left.

Default outgoing policy is enabled and configured from ANY.
0
dpk_walCommented:
>> kernel  deny out eth2 61 udp 20 128 192.168.112.103 192.168.112.1 50851 53 (default)

Have you configured 192.168.112.1 as DNS IP on the machines; if yes, this is the problem. WG would not act as DNS forwarder; if you are using DHCP or static IP then please ensure that you specify DNS Servers as specified by your ISP.

Other things I would like to check is, if the machines can ping anything on the internet; try pinging following in the same order:
1. From 192.168.112.x machine ping 192.168.112.1 [you should get replies, proceed to 2].
2. From 192.168.112.x machine ping public IP of your Edge [you should get replies, proceed to 3].
1. From 192.168.112.x machine ping public gateway of youe Edge [you should get replies, then the machine is already connecting to internet; it is just DNS issue that you are not able to connect to website using names].

Please check and update.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

devon-ladAuthor Commented:
Oh dear...schoolboy error.  Never checked if they could ping external IPs...and should have noticed the fact that the Firebox was logging entries regarding port 53.

Have changed the Opt DHCP settings to use external DNS - from the logs it looks like that's solved it, will double check with the users.
0
devon-ladAuthor Commented:
That was it - all working now.  Thanks
0
dpk_walCommented:
Welcome! :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.