Cannot access internet from Firebox optional network

Posted on 2009-07-08
Last Modified: 2013-11-16
One of our customers has a Watchguard Firebox Edge x20e-w and they want to give internet access to their customers while they are onsite.

I had initially intended to use the Wireless Guest network on the Firebox, but the area requiring coverage is quite large, so have decided to put in two additional LinkSys wireless access points and connected them to the Opt port on the Firebox via a PoE switch.

Users can connect to the Optional network wirelessly through the LinkSys APs and are receiving DHCP leases from the Firebox BUT they cannot connect to the internet.

In the Firebox log I have many entries as follows:

Jul 8 15:38:41  kernel  deny out eth2 61 udp 20 128 50851 53 (default)

Where is a client connected wirelessly to the Optional network and is the Optional network interface of the Firebox.

On the Allowed MAC Addresses tab in the Optional Network settings, the box Restrict access by Hardware MAC Address is NOT checked.

Is there a setting somewhere I'm missing?  Internet and BOVPN connections from the Trusted network work fine.
Question by:devon-lad
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 32

Expert Comment

ID: 24810405
As you have firebox X20e-w one of the possible reasons could be that you are running out of user licenses and as a result no user from optional gets on to internet.

In configuration page of Edge, System Status page; under Options; total number of User licenses and usage is listed.

Other things include:
There is no policy which allows access from optional network to internet.
Ensure that the default outgoing policy is enabled and has from configured from ANY.

Please check and update.

Thank you.

Author Comment

ID: 24811016
Plenty of user licences left.

Default outgoing policy is enabled and configured from ANY.
LVL 32

Accepted Solution

dpk_wal earned 500 total points
ID: 24811064
>> kernel  deny out eth2 61 udp 20 128 50851 53 (default)

Have you configured as DNS IP on the machines; if yes, this is the problem. WG would not act as DNS forwarder; if you are using DHCP or static IP then please ensure that you specify DNS Servers as specified by your ISP.

Other things I would like to check is, if the machines can ping anything on the internet; try pinging following in the same order:
1. From 192.168.112.x machine ping [you should get replies, proceed to 2].
2. From 192.168.112.x machine ping public IP of your Edge [you should get replies, proceed to 3].
1. From 192.168.112.x machine ping public gateway of youe Edge [you should get replies, then the machine is already connecting to internet; it is just DNS issue that you are not able to connect to website using names].

Please check and update.

Thank you.
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Author Comment

ID: 24811310
Oh dear...schoolboy error.  Never checked if they could ping external IPs...and should have noticed the fact that the Firebox was logging entries regarding port 53.

Have changed the Opt DHCP settings to use external DNS - from the logs it looks like that's solved it, will double check with the users.

Author Closing Comment

ID: 31601184
That was it - all working now.  Thanks
LVL 32

Expert Comment

ID: 24821087
Welcome! :)

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question