GreshAssoc
asked on
HP MSM 710 guest access issues
We have a HP MSM 710 mobility controller with multiple AP's. The MSM is set up for both guest and internal access. Internal access works fine. Guest access does not. i can connect to the guest network, obtain an ip, and login through the html page, but cannot access the web. I will provide all settings below. We do not use VLan's. the internet port on the MSM is hooked directly to the dmz on my firewall. I can browse without issue if i plug a computer directly into the dmz and use a 192.168.200.* ip address and 192.168.200.2 as the gateway, so the msm is causing the issue. on the guest network, once connected, i can only ping the msm internet port(192.168.200.10) and gateway/dns addresses (192.168.201.25), not the dmz. Traceroutes stop at 192.168.201.25, no matter if tracing a domain name or IP. I have configured using the automated workflow as well as following examples from white papers, though all of those were based on vLan's.
set up as follows:
Firewall DMZ port address: 192.168.200.2 / 255.255.255.0
MSM internet port address: 192.168.200.10 / 255.255.255.0 -static
MSM acts as dhcp server for public:
DNS: 192.168.201.25
Start: 192.168.201.26
End: 192.168.201.50
Gateway: 192.168.201.25
netmask: 255.0.0.0
subnet: 192.0.0.0
Guest account that is logging in is associated with vsc.
Default route:
interface- internet port G- 192.168.200.2 metric- 1
Attribute:
ACCESS-LIST factory,ACCEPT,all,*procur ve.com,a.. .
ACCESS-LIST factory,ACCEPT,all,*hp-ww. com,all
ACCESS-LIST factory,ACCEPT,all,*window supdate... .
ACCESS-LIST public,deny,all,10.0.0.0.0 /8,all (<<-----this is internal network)
ACCESS-LIST public,accept,all,all,all
USE-ACCESS-LIST factory
DEFAULT-USER-USE-ACCESS-LI ST Public
VSA-WISPR-ACCESS-PROCEDURE 1.0
any help would be appreciated!
set up as follows:
Firewall DMZ port address: 192.168.200.2 / 255.255.255.0
MSM internet port address: 192.168.200.10 / 255.255.255.0 -static
MSM acts as dhcp server for public:
DNS: 192.168.201.25
Start: 192.168.201.26
End: 192.168.201.50
Gateway: 192.168.201.25
netmask: 255.0.0.0
subnet: 192.0.0.0
Guest account that is logging in is associated with vsc.
Default route:
interface- internet port G- 192.168.200.2 metric- 1
Attribute:
ACCESS-LIST factory,ACCEPT,all,*procur
ACCESS-LIST factory,ACCEPT,all,*hp-ww.
ACCESS-LIST factory,ACCEPT,all,*window
ACCESS-LIST public,deny,all,10.0.0.0.0
ACCESS-LIST public,accept,all,all,all
USE-ACCESS-LIST factory
DEFAULT-USER-USE-ACCESS-LI
VSA-WISPR-ACCESS-PROCEDURE
any help would be appreciated!
check your gateway
ASKER
which one? changing the client DHCP provided gateway to 192.168.200.2 or 192.168.200.10 does not correct it. the original 192.168.201.25 was provided by the workflow
ASKER
If i disable HTML Based user login everything works fine?! I just cannot control who accessess the guest network
ASKER
I believe this is coming down to the ACL attributes. below is what i have listed:
ACCESS-LIST factory,ACCEPT,all,*procur ve.com,a.. .
ACCESS-LIST factory,ACCEPT,all,*hp-ww. com,all
ACCESS-LIST factory,ACCEPT,all,*window supdate... .
ACCESS-LIST public,ACCEPT,all,all,all
ACCESS-LIST Guests,ACCEPT,all,all,all
ACCESS-LIST guests,ACCEPT,udp,all,67-6 8
ACCESS-LIST guests,ACCEPT,all,all,53
USE-ACCESS-LIST factory
DEFAULT-USER-USE-ACCESS-LI ST Guests
VSA-WISPR-ACCESS-PROCEDURE 1.0
My guest account "guest" is assigned to the "Guests" account profile
ACCESS-LIST factory,ACCEPT,all,*procur
ACCESS-LIST factory,ACCEPT,all,*hp-ww.
ACCESS-LIST factory,ACCEPT,all,*window
ACCESS-LIST public,ACCEPT,all,all,all
ACCESS-LIST Guests,ACCEPT,all,all,all
ACCESS-LIST guests,ACCEPT,udp,all,67-6
ACCESS-LIST guests,ACCEPT,all,all,53
USE-ACCESS-LIST factory
DEFAULT-USER-USE-ACCESS-LI
VSA-WISPR-ACCESS-PROCEDURE
My guest account "guest" is assigned to the "Guests" account profile
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
issue determined myself
ASKER
message log shows following:
Jul 1 09:13:54 err dhcpd Multiple interfaces match the same shared network: eth0 br0
Jul 1 09:13:54 err dhcpd Multiple interfaces match the same subnet: eth0 br0
Not sure where the "multiple interfaces" are, internet address is 192.168 internal is 10.229
Network trace on MSM from internet port to http://www.google.com:
I have no idea where the 192.168.240.156 address is coming from..
09:34:52.495656 arp who-has 192.168.200.2 tell 192.168.200.10
09:34:52.495782 arp reply 192.168.200.2 is-at 00:17:c5:14:c8:1f
09:34:53.505825 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:53.505947 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:53.506040 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:55.932635 e8:39:35:6b:80:2c > 01:80:c2:00:00:0e, ethertype Unknown (0x88cc), length 168:
0x0000: 0207 04e8 3935 6b80 2c04 0703 e839 356b ....95k.,....95k
0x0010: 802c 0602 0096 080d 496e 7465 726e 6574 .,......Internet
0x0020: 2070 6f72 740a 2450 726f 4375 7276 6520 .port.$ProCurve.
0x0030: 5377 6974 6368 2034 3230 3476 6c2d 4239 Switch.4204vl-B9
0x0040: 2d54 5733 3032 4c42 3039 370c 3748 5020 -TW302LB097.7HP.
0x0050: 436f 6e74 726f 6c6c 6572 2c54 5733 3032 Controller,TW302
0x0060: 4c42 3039 372c 3530 2d30 302d 3130 3239 LB097,50-00-1029
0x0070: 2d30 -0
09:34:57.235842 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:57.235961 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:57.236048 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:35:00.245832 IP 192.168.200.10 > 66.151.158.177: icmp 48: host 192.168.240.156 unreachable
09:35:00.245950 IP 192.168.200.10 > 66.151.158.177: icmp 48: host 192.168.240.156 unreachable
09:35:00.246038 IP 192.168.200.10 > 66.151.158.177: icmp 48: host 192.168.240.156 unreachable
09:35:04.525823 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:35:04.525939 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:35:04.526026 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:35:04.638762 IP 192.168.200.2.137 > 192.168.200.10.137: UDP, length: 50
09:35:10.065794 IP 192.168.200.10 > 66.151.158.177: icmp 48: host 192.168.240.156 unreachable