SonicWall User\Guest Wifi Access Via VLAN's and Error 53

A client with an NSA 3500, (4) SonicPoints, A VLan for Users, and a Sub VLan for Guests.

When a Wi-Fi user connects to the User Wi-Fi, they can ping and resolve by name all devices. However, when that user tries to access a network share or map a drive they receive an Error 53.

The user can access the internet.

If a guest connects to the guest Wi-Fi they can't ping any network devices, but can reach the internet.

Any thoughts?
abustraanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi abustraan,

Network share or map a drive error 53.

Where are you getting the Error 53, e.g. (the SonicWALL logs, Windows logs, etc.)?

Make sure the corresponding Zone has enabled Allow Interface Trust.
The Allow Interface Trust setting in the Add Zone window automates the creation of Access Rules to allow traffic to flow between the interface of a zone instance. For example, if the LAN zone has both the LAN and X3 interfaces assigned to it, checking Allow Interface Trust on the LAN zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.

Also check Access Rules to make sure nothing is being blocked outbound (WLAN>LAN & LAN>WLAN).

WiFi guest not pinging but can access the Internet

This is good, why change it?

Check the Interfaces for the VLAN to see if Ping is enabled or not. If it's not put a check mark next to Ping & click OK.

Let me know how it goes!
0
abustraanAuthor Commented:
I get the error from dos when I try to map a drive from the user connected to the user wifi.

I certainly don't want to change the guest Wi-Fi settings.

The Allowed Trust Interface Option was checked on both the LAN (X0) and WLAN (X3) zones

I did notice on the X3 Zone there is a guest services tab and the "Enable Guest Services" option is unchecked.

If I enable that, then I get an option "Pass Networks" I can then select the "LAN Subnets" or "X0 Subnets" would that be the right idea or is that the wrong kind of Guest Services?
0
Blue Street TechLast KnightCommented:
Yes, follow this step-by-step to properly configure WGS (Wireless Guest Services) for an NSA 3500 using SonicPoints: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=4959

For clarity, you said in your question...
If a guest connects to the guest Wi-Fi they can't ping any network devices, but can reach the internet.
This is most likely because the Interface is not enabled for Ping, but I'd leave it alone...for guest users you don't want Ping enabled or any other Management Access (HTTPS, Ping, SNMP, SSH).

Keep me posted!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

abustraanAuthor Commented:
Ironic that the article says to disable Interface trust, and your previous post said to enable it.
0
Blue Street TechLast KnightCommented:
Ah yes, very observant but both are true! You want to disable Interface Trust for Public or WGS clients for their own privacy so that they don't snoop peer-to-peer, however, with your own, let's say private WLAN, you will want to enable it so that you can support intra-zone communications, e.g. (WLAN>LAN & LAN>WLAN).

Does that make sense?
0
Blue Street TechLast KnightCommented:
Any update on this?
0
abustraanAuthor Commented:
I finally had a chance to work on this a couple of days ago.

I was able to turn on the guest services, get a sonicwall log in, and use a sonicwall local user account and connect to the files.

However, not all devices support that and it seems very clunky. I was hoping for something more seamless like a hotel guest page that comes up in the browser automatically that a user can supply their information and connect.

Plus, I was hoping that by connecting to the Wi-Fi, by itself would facilitate the connection to the network, and not need a secondary log in.

At this point, I can consider this question closed. If I can't fully resolve the SonicWall log in process I'll submit a new question.

Thanks for the help and suggestions.
0
Blue Street TechLast KnightCommented:
Hi abustraan,

My pleasure! Sorry for the follow-up delay on your last post...the notification for it got buried in my inbox.

You can achieve what you are asking for! See below.

When you say,
...not all devices support that and it seems very clunky.
What do you mean? It is just a separate VAP.

I was hoping for something more seamless like a hotel guest page that comes up in the browser automatically that a user can supply their information and connect.

Plus, I was hoping that by connecting to the Wi-Fi, by itself would facilitate the connection to the network, and not need a secondary log in.
To do so, follow these steps:

Go to Network > Zones, then click the Edit icon for the WLAN zone. Then the Edit Zone window is displayed. Click the Guest Services tab.

1. To create a more seamless feel like a hotel guest page in the browser w/o authentication needed.


A) Put a check next to Enable Dynamic Address Translation (DAT) - WGS provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the Wireless DHCP services, and authenticate using any web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the Wireless WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. DAT is a form of Network Address Translation (NAT) that allows the Wireless to support any IP addressing scheme for WGS users. For example, the Wireless WLAN interface is configured with its default address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.

B) Put a check next to Custom Authentication Page - redirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.

C) Put a check next to Bypass Guest Authentication - allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication.

Click OK to apply these settings to the WLAN zone.Let me know if you have any more questions or start a new question and post the URL. Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.