dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4689
sangsi
join:2010-03-10

sangsi

Member

Help me solve this riddle USG 50 / LAN2 / Access Point

I cannot think straight enough to figure this one out. Hopefully someone else with a much better brain can

I have 2 LANs in play inside the USG 50 setup. LAN1 (all my wired devices - 192.168.0.0/24) and LAN2 (all my wireless devices - 192.168.1.0/24). I've designated Port 3 of the USG 50 to belong to LAN2 as well. I also setup an access point (192.168.1.2) and it's connected to the port 3 of the USG 50. So far so good, my wireless devices connect to the access point, Zywall assigns them IP through DHCP, wireless devices can surf the net. I can ping devices that are in the LAN1 and etc. I can also ping the access point's IP from the wireless devices with no problem.

The problem has to do with the LAN1 devices not being able to ping the access point itself. Basically I cannot connect to the access point from a wired device that sits in the LAN1. This is mind boggling to me. I can ping the access point from a wirelss device but not from my desktop. The desktop can ping any other device in the LAN2 except the access point.

Why would that be the case? There are no firewall rules created to disallow that.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

What access point is it? Vendor / model? I've seen some basic (read cheap) APs that had many quirks like this.
Or the AP may have some config setting that it won't allow access to it only from local LAN.

Why do you need have all your wireless devices on separate network? If you want you can put the AP on LAN1 - assign the AP LAN1 IP and disable DHCP on the AP. Done.
FirebirdTN
join:2012-12-13
Brighton, TN

FirebirdTN to sangsi

Member

to sangsi
This probably won't help, but I ran into a similar situation, and it ended up being the AP itself.

I also have a USG 50, with 2 wireless networks; one on LAN1 with the rest of my protected network, and one on LAN2 for guest access.

I wanted to be able to remote admin the LAN2 wireless from LAN1, but ran into trouble. In my case, the guest wireless was actually an old WRT54GL router. I had hooked it up as suggested on the net for "bridge mode", which basically leaves the wan port disconnected. It works just fine that way, BUT...you cannot access the admin pages with it set up like that because there is no way to assign a "gateway" address on the LAN side of it. I ended up hooking it up normally. Its double NATed now, but works as expected.

Other thing to check is firewall settings. Your setup is a bit odd though....why allow devices in LAN1 to be able to be accessed (or pinged) from LAN2? If you want access from all devices, just throw them all in LAN1 as Brano suggested.

-Alan
sangsi
join:2010-03-10

sangsi to Brano

Member

to Brano
Well it's a makeshift access point. It's actually a Netgear WNDR4000. Now that I've checked the Netgear download section, they've released a new firmware for it. I'll upgrade and then try it again to see if that will help at all.

I allowed LAN1 to LAN2 and vice versa for testing purposes . In the production environment, it'll be LAN1 to WAN + LAN1 to ZyWALL + LAN2 to Zywall (DNS service only) + LAN2 to WAN + LAN2 to LAN1 (address group to allow only the printers).

Basically LAN1 won't be able to communicate with the LAN2. LAN2 can only communicate with printers in the LAN1. LAN2 cannot access Zywall except for DNS ports. What I wanted to do was to have a LAN1 to LAN2 with only to access the access point's IP address but that scenario is out the window now that I cannot access it from LAN1. I have to manage the access point from a wireless device now. I wanted to have the ability to manage it from the LAN1 too basically.
sangsi

sangsi to FirebirdTN

Member

to FirebirdTN
Another benefit is the QoS. I have lower traffic priority setup for the wireless devices through BWM.
sangsi

sangsi

Member

I just discovered another anomaly with my setup. As I mentioned in my previous post, QoS (BWM) is setup for the wireless devices (LAN2). For some very strange reason, when I run a speed test using my laptop, BWM's bandwidth settings are ignored. But if I run the same speed test through my iPhone app., it adheres to the set bandwidth limitations. If I set it to be 250 kbps for the maximum upload speed (to prove that such an exaggerated decrease occurs and is sustained - which means that the BWM rule is working), the speed test comes out around that number. However same website's test done through the laptop results in full saturation of the WAN egress speed (around 5.5 Mbps).
FirebirdTN
join:2012-12-13
Brighton, TN

FirebirdTN to sangsi

Member

to sangsi
Sounds like your end setup is going to be almost identical to mine. I basically block the guest wireless (on LAN2) from getting to anything other than the internet, DNS on the ZyXel and my printer located on LAN1.

As to QoS, what firmware are you using? I have not been able to get consistent reliable QoS since firmware 3.00 (BDS.4), which is what I am still running now. I also throttle my guest wireless.

-Alan
sangsi
join:2010-03-10

sangsi

Member

Yes, it's the same setup.

I'm running on 3.30(BDS.2). I was going to say that the BMW feature is working fine up until this erratic laptop behavior. I mean how is it that one device is adhering to the QoS rule and another device isn't.

Only God knows what goes inside the USG devices. It's such a hit and a miss.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to sangsi

Premium Member

to sangsi
Not sure what the problem is here.
Im assuming you setup your access point as such.....
»Wireless Networking Forum FAQ »Using a Wireless Router as an Access Point

Because everything works out on LAN2.

Why do you care if LAN1 can ping a device on LAN2.
Do you not have firewall rules blocking lan1 to see lan2 and the reverse as well??

Otherwise why put them on separate LANs???
sangsi
join:2010-03-10

sangsi

Member

I care because I want to be able to administer the access point from LAN1. I was going to create a LAN1 to LAN2 rule (with only the access point's address object). Let's say I want to change the WAP2 WiFi phrase or I want to upgrade the firmware (wired method is the preferred method when it comes to upgrading any firmware) now I have to login to the access point by having to have to connect to it via a wireless device.

But like it was mentioned earlier by Bruno and FireBird TN, it's most likely the access point itself. I will update its firmware today to see if that'll help.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to sangsi

Premium Member

to sangsi
Sure thing.
There may some default setting on the AP that only allows access to other wifi connected users but no wired or other LAN users (ie only out to the wan connection).

In any case your separation is not for fun but a sense of trust is needed for your wired lan.
Thus your default flows should be lan 1 to lan 2 block and lan 2 to lan 1 block.
One should be able to make a rule all LAN1 device to AP on lan 2 allow. (or narrow it down to a specific set of LAN1 devices with access to the AP.).
daveyeager
join:2004-04-21
Columbus, OH

daveyeager to sangsi

Member

to sangsi
My Netgear wndr4000 will only accept local ipv4 pings / access to the wan port from it's own subnet (firmware may be off by 1 release) even when it is enabled. My Asus rt-ac68u works just fine when configured the way I want. I noticed that the Netgear R7000 will allow you to connect with ipv6, perhaps the wndr4000?

You could VPN from each wireless device to your lan (which I recommend anyways since wireless is insecure).

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

wireless is insecure??????
sangsi
join:2010-03-10

sangsi to daveyeager

Member

to daveyeager
I kind of got confused...

So you have a Netgear WNDR4000 and it's in access point mode just like I do/ and it won't respond to ping requests from another subnet?

And you also have an ASUS router in an access point mode but that one does respond to ping request from another subnet?
sangsi

sangsi

Member

To keep you guys updated, I don't even know if there is any interest, I performed the firmware upgrade on the WNDR4000. It's now running off of v1.0.2.2_9.1.84. Interestingly enough, I can now ping it from LAN1. However, I cannot access it via the browser, so it's really not useful. I found out that I can actually use DD-WRT firmware on this device so I'm going to give that a try tomorrow. Hopefully that might give me more elbow room to configure things to allow http/https access from another subnet.
polarisdb
join:2004-07-12
USA

polarisdb to sangsi

Member

to sangsi
I just verified this works with my USG50 and an old wrt54g running dd-wrt I had hanging around. From a LAN1 (192.168.1.0/24) wired PC I am able to access the LAN2 (192.168.2.0/24) GUI of the wrt54g at 192.168.2.254. Obviously, I'm using the wrt54g as a WAP by disabling the DHCP server on it and connecting the USG50 to a LAN (and not WAN) port on it.
daveyeager
join:2004-04-21
Columbus, OH

daveyeager to sangsi

Member

to sangsi
said by sangsi:

I kind of got confused...

So you have a Netgear WNDR4000 and it's in access point mode just like I do/ and it won't respond to ping requests from another subnet?

And you also have an ASUS router in an access point mode but that one does respond to ping request from another subnet?

Sorry for not being clear. That is correct, Asus works while the Netgear wndr4000 does not from other private subnets. In both cases the wireless AP is in the DMZ with a 192.168.x and the LAN1 is a 10.x with a pinhole in the firewall for ping, traceroute, http and and https.

Look forward to your dd-wrt results. Netgear has had problems with wndr4000 ap mode before: »forum1.netgear.com/showt ··· ?t=86699 and fixes were never covered in release notes. dd-wrt will likely not be perfect, but tomato is not an option and open-wrt has issues with the wdnr4000.
sangsi
join:2010-03-10

sangsi to polarisdb

Member

to polarisdb
polarisdb,

Thanks for the info. That gives me confidence to go ahead with the firmware change.

daveyeager,

I'd like to get one of those ASUS devices but they are a bit pricey. For now, I'll just make do with this Netgear device. As for DD-WRT, I just want to see how it'll perform and etc. I'm not asking for too much. Just act as an access point and that's it. I don't even have the 5Ghz feature turned on with the stock Netgear firmware.

Hank
Searching for a new Frontier
Premium Member
join:2002-05-21
Burlington, WV
ARRIS NVG443B
Ubiquiti NanoStation loco M2

Hank

Premium Member

sanjsi - I meant to post this a couple days ago but got busy with some medical stuff and just now getting to it. But here are my policy route rules I use in my USG100. Rule 1 is so I can access my AP from my PC. The are also other rules to access my modems. Also in the document is the object I created for my AP, similar objects exist for my modems. But this allows me to access the AP and modems from my PC only. You could just as well make it the entire subnet if wanted. You could do the same thing for your WRT.

The last two rules are in place so I can troubleshoot a problem with WNA1 and not interrupt the better halfs connection while I am troubleshooting.
sangsi
join:2010-03-10

sangsi

Member

Hello Hank,

Sorry to hear about the medical difficulties. Hope you are feeling better now!

Excuse my ignorance but is there a benefit to utilizing policy routes to getting this done the way you have it vs. just using simple firewall rules?

Currently, All I had to do was to enable LAN2 interface. Designate its port to port #3 and connect it to the switch side of the access point and then create a simple LAN1 to LAN2 allow with the IP address of the access point.

By the way, I initially couldn't ping the access point thinking that it had something to do with the Zywall USG 50 configuration but later on I found out that it was the access point itself. With the newest firmware, I can now ping it from another subnet.

Hank
Searching for a new Frontier
Premium Member
join:2002-05-21
Burlington, WV
ARRIS NVG443B
Ubiquiti NanoStation loco M2

Hank

Premium Member

Yes, had my knee replaced and it is coming along just fine.

No, I don't believe so. Just another way of doing it. I have a lot of difficulties here with my ISP, Frontier, and don't want to be missing with the firewall rules that often so I make use of the policy route rules and can do so without impacting the entire network.

Have a happy Thanksgiving.

Regards,
Hank

mozerd
Light Will Pierce The Darkness
MVM
join:2004-04-23
Nepean, ON

mozerd to sangsi

MVM

to sangsi
I am not fammiliure with the WNDR4000 .... If you've enabled wireless isolation you will experience much of what you have described ..... So check to see if wireless isolation is a feature of the WNDR4000 and Mae sure it's disabled.
sangsi
join:2010-03-10

sangsi

Member

mozerd,

Thanks for the reply. I'm familiar with the wireless isolation feature. In this case, it's not explicitly activated. Plus, I can ping from LAN1 to LAN2 now... I can also ping the wireless access point using my laptop, which is connected wirelessly to the access point.

At this point, there is nothing wrong as far as Zyxel USG 50 configuration is concerned. Everything points to the access point's shortcomings.

I still need to mess around with the DD-WRT firmware.