Solved

Cannot access internet from Firebox optional network

Posted on 2009-07-08
6
1,302 Views
Last Modified: 2013-11-16
One of our customers has a Watchguard Firebox Edge x20e-w and they want to give internet access to their customers while they are onsite.

I had initially intended to use the Wireless Guest network on the Firebox, but the area requiring coverage is quite large, so have decided to put in two additional LinkSys wireless access points and connected them to the Opt port on the Firebox via a PoE switch.

Users can connect to the Optional network wirelessly through the LinkSys APs and are receiving DHCP leases from the Firebox BUT they cannot connect to the internet.

In the Firebox log I have many entries as follows:

Jul 8 15:38:41  kernel  deny out eth2 61 udp 20 128 192.168.112.103 192.168.112.1 50851 53 (default)

Where 192.168.112.103 is a client connected wirelessly to the Optional network and 192.168.112.1 is the Optional network interface of the Firebox.

On the Allowed MAC Addresses tab in the Optional Network settings, the box Restrict access by Hardware MAC Address is NOT checked.

Is there a setting somewhere I'm missing?  Internet and BOVPN connections from the Trusted network work fine.
0
Comment
Question by:devon-lad
  • 3
  • 3
6 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24810405
As you have firebox X20e-w one of the possible reasons could be that you are running out of user licenses and as a result no user from optional gets on to internet.

In configuration page of Edge, System Status page; under Options; total number of User licenses and usage is listed.

Other things include:
There is no policy which allows access from optional network to internet.
Ensure that the default outgoing policy is enabled and has from configured from ANY.

Please check and update.

Thank you.
0
 
LVL 1

Author Comment

by:devon-lad
ID: 24811016
Plenty of user licences left.

Default outgoing policy is enabled and configured from ANY.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 24811064
>> kernel  deny out eth2 61 udp 20 128 192.168.112.103 192.168.112.1 50851 53 (default)

Have you configured 192.168.112.1 as DNS IP on the machines; if yes, this is the problem. WG would not act as DNS forwarder; if you are using DHCP or static IP then please ensure that you specify DNS Servers as specified by your ISP.

Other things I would like to check is, if the machines can ping anything on the internet; try pinging following in the same order:
1. From 192.168.112.x machine ping 192.168.112.1 [you should get replies, proceed to 2].
2. From 192.168.112.x machine ping public IP of your Edge [you should get replies, proceed to 3].
1. From 192.168.112.x machine ping public gateway of youe Edge [you should get replies, then the machine is already connecting to internet; it is just DNS issue that you are not able to connect to website using names].

Please check and update.

Thank you.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 1

Author Comment

by:devon-lad
ID: 24811310
Oh dear...schoolboy error.  Never checked if they could ping external IPs...and should have noticed the fact that the Firebox was logging entries regarding port 53.

Have changed the Opt DHCP settings to use external DNS - from the logs it looks like that's solved it, will double check with the users.
0
 
LVL 1

Author Closing Comment

by:devon-lad
ID: 31601184
That was it - all working now.  Thanks
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24821087
Welcome! :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now