Results 1 to 10 of 10
  1. #1
    Untangler
    Join Date
    Jul 2014
    Posts
    35

    Default Routing between networks

    This may seem rather bush-league to some of you seasoned network guys, but it's got me pretty stumped.
    I set up a UT10 router for a client with a 3rd network adaptor for a "Guest" network. Put a Guest Wireless access point on it, and of course, people using the guest wireless have no access to the main network. Works as intended...

    Well, now they want to be able to administer that Guest access point from the main network. So, I will need for the UT to forward traffic on certain ports freely to the server running the administration software for the access point. Seems pretty easy to me (in theory) but I screwed with it for hours the other day, playing with NAT, the firewall, filters, default routes, etc. and I just can't get it to work.

    Now, I realize I haven't given the group enough here to ask for a step-by-step on how it's done, but has anyone seen a document around that explains how this can be done?

    Or maybe just throw out a few non-specific suggestions ("firewall needs to allow this, but don't forget the static routes" OR "if it's broadcast traffic you may have to do this") - something like that...

    This is a fully subscribed client, so I could contact UT support, but am trying to avoid that. (not sure why)

    Thanks...

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    If you're trying to setup port a forward (not sure if thats what you're trying to do or not..) then there is this guide:
    http://wiki.untangle.com/index.php/P...shooting_Guide
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    What is your access point?

    Beware many SOHO devices (Linksys, Netgear, etc) are configured with an undocumented, and invisible firewall that prevents management access from anything other than a local address.

    DMorris is correct to suggest a port forward, because that plus configuration of the WAN management feature may be the only way out! Ao again what is your access point?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Jul 2014
    Posts
    35

    Default

    The access point is a Ubuiti Unifi UAP-LR.
    Uses port 8081 for management.

    I will try it and let you know how I make out.

    This business can be humbling at times. There are a lot of people who think I am some sort of computer genius (I'm not). However, something like this can knock you down a peg or two!

    Thanks for the suggestions...

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    You may want to read this blog post I wrote, it'll help you understand what that AP is doing so you can fix the problem.

    https://nexgenappliances.com/blog/17...-access-points

    Unless you've manually set the provisioning URL, things aren't going to work quite the way you expect, and yes port forwards will be required if NAT is enabled.

    BTW, fine choice in APs, Untangle + Unifi = Magic
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    Jul 2014
    Posts
    35

    Default

    Great blog, Sky-Knight! Definitely learned a lot about the Unifi Controller. Still can't get things to work, but I don't know if it's firewall related, software, or ignorance.
    I'll be able to troubleshoot better if I go onsite, configure a laptop and connect it to the isolated side, and see what I need to do to get it to "see" the private network.
    There's something elementary about the routing or the AP controller software that I am missing. Most of the router work I have done has been pretty straightforward. The Untangle gives me more options, but also requires a more complete understanding of routing.

    Thanks again...


    Quote Originally Posted by sky-knight View Post
    You may want to read this blog post I wrote, it'll help you understand what that AP is doing so you can fix the problem.

    https://nexgenappliances.com/blog/17...-access-points

    Unless you've manually set the provisioning URL, things aren't going to work quite the way you expect, and yes port forwards will be required if NAT is enabled.

    BTW, fine choice in APs, Untangle + Unifi = Magic

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    I would focus on determining how you got the guest network to not access the LAN. By default, it CAN access the LAN. NAT isn't involved between the two internal networks, and all you need is DNS for the AP to find the controller. (Or a manual provision with an IP)

    From there you use the firewall module to control access. If this is now you did this, all you need to do is pass traffic originating from the AP's IP address destined to the Controller's IP address and place that pass rule above the block.

    If you ticked the NAT box on the UT interface pointed at the guest network, you'll have to use a port forward and a public address to gain access. That's one of the reasons why I don't like using NAT in this way, it's harder to fix later when you need to make a pinhole.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler
    Join Date
    Jul 2014
    Posts
    35

    Default

    Well, that seems to be at least partly what's wrong. All three of the UT interfaces had the NAT box ticked - is this done by default?

    I cleared it on the guest interface, but now have to look through all the other changes and attempts at fixing things that I did to see what needs to be corrected.

    Guess I am not as clear on what NAT is (and isn't) as I thought I was.

    Gonna keep working on it, but thanks for your input.

    Much appreciated!

  9. #9
    Untangler
    Join Date
    Jul 2014
    Posts
    35

    Default

    OK, so I went around through the entire Untangle configuration, cleaned up all the (often dumb) things I tried in desperation, and the communication between the networks is now working. I had set up routes, filters, odd firewall rules, second IP on the LAN server interface, and other things I can't remember.
    I cleared the checkboxes for the non-WAN NAT, left it checked on the WAN interface. Pings started working, I could Putty into the UAP. I reset it to defaults. Found its new IP address in the DHCP lease listing, Putty'd into it again, used the "set inform" command and it still wouldn't be adopted. Finally realized that the command was "set-inform", not "set inform".
    Did all that, and the controller software now sees the AP.
    I am really impressed with the Unifi products, but am surprised at how much there is to learn. That's on me, not them!

    Thanks for your input - I learned a lot, got things straightened out.

    Happy guy!

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    No the NAT boxes aren't on by default, but beware. Removing them is the gateway to easy mode, but it also means your wifi and internal network can communicate at will. You'll likely want to get some firewall rules in there to fix that.

    Of course, if you're using the Unifi APs you can configure the guest SSID to not be able to communicate with private networks, that'll stop the public users from getting around too. But, having both never hurt anything.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2