Connecting NG Firewall to Wireless Network

[Martiar]

Narrative overview of UT residential setup:

I’m using Untangle NG in a router-mode in a residential setup. My system is running UT-Build: (16.5.0.20220125T104621.4a2ac8c1bf-1buster) Kernel: (4.19.0-11-untangle-amd64).

I’ve used UT for several year now and find it to be an excellent system. My residential systems setup has grown overtime with 2 windows domain controllers, several connected windows and Linux’s desktops, laptops, mobile phones, video doorbell cameras and combined/integrated Linux-Ubuntu Bind 9 DNS on a wired (Ethernet) connected network and Wi-Fi.

My UT server serve as a DHCP server (personal choice over Windows DC’s). I use both Windows DC’s as DNS servers, in addition with Bind via Webmin (personal choice).
A Linksys (SFE2010) 48-Port Switch is used for network connectivity. My Wi-Fi network devices consist of (1) ASUS TM-AC1900 dual band (2.4GHz & 5.0GHz) Router, (1) ASUS RP-AC1900 dual band (2.4GHz & 5.0GHz) Repeater and (1) Linksys Wireless-N Broadband WRT300N Router 2.4GHz flushed with (dd-wrt.v24_mini_generic) firmware configured as a Wi-Fi Access Point.

Problem with UT and Wi-Fi:

For many years my UT setup with Ethernet and Wi-Fi coexisted and worked without problems on UT. As the Wi-Fi devices increased on the network, connectivity problems started to occur frequently. It became so bad, that I was forced to shut-down all Wi-Fi to have any network services.

My UT server originally had 2 interfaces setup 1-(RJ45 100Mbit on the system board (eth1) DHCP configured; Config Type: Addressed at UT, ip 192.168.1.1 gateway connected to default VLAN1 to the switch for all Internal Network Connections (Ethernet & Wi-Fi) and 1-(RJ45) Gbit (eth0) as the WAN connection to Comcast ISP.

My approach to fix the problem with Wi-Fi was to isolate the Ethernet and Wi-Fi traffic at the switch by installing a third interface in UT (eth2) and configuring a second VLAN (VLAN 29) at the switch to route all Wi-Fi traffic. (eth2) DHCP configured; Config Type: Addressed at UT, ip 192.168.29.1 gateway connected to VLAN29 switch port e1. I designated 12 switch ports added to VLAN29 (ports: e1-e6 and e25-e30) on the switch. Switch port e2 has the Linksys Wireless-N Broadband WRT300N Router direct connected to its port via cat5 cable. Switch port e3 has direct connection to a (poe adapter) connected to its port via cat5 cable. A second paired (poe adapter) located in the lower level of our home has direct connection to the WAN port on the ASUS RP-AC1900 dual band (2.4GHz & 5.0GHz) Repeater via cat5 patch cable. The ASUS TM-AC1900 dual band (2.4GHz & 5.0GHz) Router and a laptop computer in close proximity are direct connected to LAN ports at the back of the ASUS Repeater.

I setup/configured each Wi-Fi device to (auto receive ip’s from UT. Each device is being assigned an ip from UT, however when I “ping” a Wi-Fi device, the ping fail to work 99% of the time. Wi-Fi devices are not able to connect to the Wi-Fi network. I configured a “Firewall Rule” on UT as shown in the attached image, but that is not helping fix the problem.

UT Firewall Rule.JPG


I’ve reviewed articles here without success --->

https://support.untangle.com/hc/en-u...reless-network


Any all help with fixing this problem will be appreciated.

[RobM]

Do you have a network diagram available?

[dashpuppy]

Do you have a network diagram available?

This will help 100% more ! Maybe a photo or 2.

Also why use a second port to pass vlan. Why not just tag the port on the switch the vlan for WiFi..

[Martiar]

RobM, thanks for your response. I’ve uploaded a diagram depiction of my residential Untangle NG Firewall setup. As mentioned the setup is in router mode inline connection.

Untangle NG Network Diagram.JPG

[Martiar]

dashpuppy, Thank you for your response. I wanted total (physical) separation of my Wi-Fi and Ethernet networks traffic after experiencing this problem. As I understand VLAN Tag within UT-NG, an existing interface in UT would serve as a parent. That would not provide the physical separation I wanted. I’m thinking in my case that would compound troubleshooting and finding a fix.

I was doing more research to find a fix, and I was looking at UT-NG “Routes” as a possible cause. I was reading this article here:https://wiki.untangle.com/index.php/Routes. Partially, this statement in the article “If Untangle does not have a complete routing table, it will not be able to reach hosts behind Untangle and will not properly route return traffic back to them and they will be offline”.

My UT is handing out ip’s via eth2 DHCP to Wi-Fi hosts on VLAN 29 however, the problem with pinging the hosts exist. Does giving out ip’s play a part in “routing”?

Another question I have, when I configured eth2; DHCP, Gateway, and IP range does UT creates a “Route” in the background or is that to be created manually?

A third question, what steps would I use to view a UT routing table for my eth2 interface?

Thanks again for you response and help.

[Kyawa]

I run something similar but just use two switches and two subnets connected separately to the eth slots for a different reason. I never had any problems when they were all together before I separated them.

[dashpuppy]

I run something similar but just use two switches and two subnets connected separately to the eth slots for a different reason. I never had any problems when they were all together before I separated them.

I see what he wants to do now, this could be done. IMO would be 100% easier if he had 2 dumb switches though..

I have it setup with 1 x sfp+ port with dedicated vlans and block rules so one can't talk to the other both ways.

Example Vlan 10 IOT 192.168.10.x/24 with a small dhcp scope for all the IOT devices can go Device > Out Wan. that's it. Also a block rule so it can't see the https: port on 192.168.10.1 ( gateway )