SOLVED –- Frustrating Firewall Problem



  • Hi all. Need some help on an issue that has me pulling my hair out (figuratively anyway). I’ve posted this under Firewall, but the problem might actually be elsewhere.

    A simplified diagram of my setup is attached. I have one physical port on the WAN side (WAN) and two physical ports on the LAN side (LAN, Opt1). As shown, each port on the LAN side is associated with two interfaces, one with VLAN tagging, and the other without:

    LAN:
    192.168.1.0/24 – Untagged
    192.168.20.0/24 -- VLAN Tag 20

    Opt1:
    192.168.50.0/24 -- Untagged
    192.168.60.0/24 -- VLAN Tag 60

    The two physical port are connected by trunk lines to separate ports on a VLAN-aware Layer 2 switch. The switch separates the interfaces and presents each one (untagged) on its own RJ45 port. Finally there is a WAP that I can connect via CAT5e to any of these four switch ports.

    For the most part, this setup works exactly how I’d expect. After connecting the WAP to a switch port, WiFi clients can connect and get an IP address from the appropriate subnet. They have internet access and can get web pages, email, etc.

    There is only one problem when the WAP is connected to the switch port carrying the LAN interface (192.168.1.0/24). In this configuration one (and only one) of my WiFi devices has a problem. It’s an Android phone (v6.0.1). This phone can connect and get web pages, email, etc. But, the YouTube (and NetFlix) app doesn’t work. When trying to play a video it spins a long time and eventually says it can’t connect with the server. But, it plays videos from the YouTube web page just fine. And, the YouTube app on this phone app works just fine when the WAP is connected to any of the other 3 switch ports. Finally, YouTube and all other apps work perfectly on other WiFi devices (Android tablets, iPhones) when the WAP is connected to ANY of the 4 switch outputs. I’ve tried 3 different WAP devices and the results are always the same.

    I’ve attached a picture of the LAN interface’s Firewall rules. The rules for the other 3 interfaces are identical. I’ve left them wide-open for purposes of this test. There’s one representative picture attached for them. I’ve heard about “hidden” rules. Could there be one on the LAN interface that’s blocking something that this particular version of the YouTube app on this particular version of Android needs?

    Sorry for the long-winded explanation, but I’m trying to be explicitly clear about the problem I’m seeing. Thanks in advance for any help.

    Greg

    PS -- This Android phone also has problems updating apps from the Google Play store when connected to the troublesome 192.168.1.0/24 subnet.



    ![LAN Rules.jpg](/public/imported_attachments/1/LAN Rules.jpg)
    ![LAN Rules.jpg_thumb](/public/imported_attachments/1/LAN Rules.jpg_thumb)
    ![Other Interface Rules.jpg](/public/imported_attachments/1/Other Interface Rules.jpg)
    ![Other Interface Rules.jpg_thumb](/public/imported_attachments/1/Other Interface Rules.jpg_thumb)


  • LAYER 8 Global Moderator

    So when your AP is on lan only 1 device has problem??  All other devices work fine with this AP when on lan??

    And when your on anything other than lan all devices work fine?

    Well your simple solution here is just to use any of the networks for your AP(s) ;)

    There are no hidden rules that would cause such an issue, there are hidden rules to allow dhcp to work…  Question for you is there IPv6 maybe on this lan?  Is your device trying to use IPv6 when on lan, and not when on the others?

    What is your wan, is it public or rfc1918 that overlaps with your lan network?  Have you tried using different address space for lan vs the 192.168.1/24 maybe .10 since your other segments seem to use double digits for the 3rd octet, etc.

    BTW - very good post, and even with drawings... ALL posts should be as well thought out when asking a question!!



  • Thanks for the reply.

    @johnpoz:

    So when your AP is on lan only 1 device has problem??  All other devices work fine with this AP when on lan??

    And when your on anything other than lan all devices work fine?

    All correct.

    @johnpoz:

    Well your simple solution here is just to use any of the networks for your AP(s) ;)

    That's Plan B.

    @johnpoz:

    There are no hidden rules that would cause such an issue, there are hidden rules to allow dhcp to work…  Question for you is there IPv6 maybe on this lan?  Is your device trying to use IPv6 when on lan, and not when on the others?

    What is your wan, is it public or rfc1918 that overlaps with your lan network?  Have you tried using different address space for lan vs the 192.168.1/24 maybe .10 since your other segments seem to use double digits for the 3rd octet, etc.

    WAN is public IP address from ISP. Haven't tried changing the LAN subnet yet.

    I believe, as you suggested, that the problem is IPv6-related. Entries like the image attached here show up in the firewall log just as I try to run the YouTube app on the problematic phone attached via WAP to the LAN interface.

    You'll have to forgive my newbie status – I know next to nothing about IPv6. I'm not (intentionally) doing anything with IPv6 on my network. What do these log entries mean and why would they only happen when one particular device is connected to one particular interface?

    Thanks again.

    Greg

    ![Firewall Log.jpg](/public/imported_attachments/1/Firewall Log.jpg)
    ![Firewall Log.jpg_thumb](/public/imported_attachments/1/Firewall Log.jpg_thumb)


  • LAYER 8 Global Moderator

    yeah sure looks like its trying IPv6, you didn't do anything on the lan interface - set track for example on the ipv6.  Does your wan have a ipv6 address?  What does your lan show?  Can you post IPs - you can hide parts of the public or ipv6 addresses – just show the beginning parts.  That 2600 is a global address not teredo or anything else

    The owner of that 2600 space is
    UUNET - MCI Communications Services, Inc

    Is that your isp?

    that 2607 is google

    Its common for your interfaces to have an ipv6 that starts with fe80, this is link local... and not routable on the public internet.

    Notice some of my interfaces have ipv6, but my wan doesn't since I run a tunnel for ipv6 access..  So I am curious why your phone would try to access ipv6 unless you had it enabled..

    That source IP is owned by
    Source:  whois.arin.net
    Name:  WIRELESSDATANETWORK
    Handle:  NET6-2600-1000-1
    Registration Date:  Tue Apr 06 11:44:47 EDT 2010
    Range:  2600:1000:: - 2600:1017:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF




  • Poking around at your suggestion, I found both 'DHCPv6 Server & RA' and IPv6 'Track Interface' enabled on LAN. Disabled both and PROBLEM SOLVED.

    From the interface information attached, it doesn't look like my WAN has an IPv6 address. Does have an 'IPv6 Link Local'. ISP is Verizon FIOS.

    Now, none of the other interfaces have IPv6 either.

    Does this all seem correct now?

    Thanks

    Greg

    ![Interface 02.jpg_thumb](/public/imported_attachments/1/Interface 02.jpg_thumb)
    ![Interface 02.jpg](/public/imported_attachments/1/Interface 02.jpg)
    ![Interface 01.jpg_thumb](/public/imported_attachments/1/Interface 01.jpg_thumb)
    ![Interface 01.jpg](/public/imported_attachments/1/Interface 01.jpg)



  • Verizon is the owner of that IPv6 subnet as well as the IPv4 subnet, so that looks legit. You don't have v6 anymore on your WAN, but you definitely did previously, as that's the only way you'd end up with that PD on LAN.

    I'm sure whatever issue you had is fine now, though having IPv6 won't hurt anything where the config is appropriate. Not sure why it'd end up getting blocked if that was on your LAN, as your screenshot showed the default allow IPv6 rule on LAN, which would allow out your PD-obtained subnet.

    It's definitely fixable if you want to re-enable IPv6 and troubleshoot further from there.


  • LAYER 8 Global Moderator

    Yeah it is odd that was being blocked..  Unless something odd with prefix your phone was using compared to what the system thought was on your lan, etc.

    As cmb mentions if you want to play with ipv6 you could do that, but unlike some people want to believe ipv6 isn't just automatically a good thing..  One thing that drives me nuts is MS idea of 3 different transition technologies to get you ipv6 all enabled out of the box.  4 if you count just your normal dualstack..  Teredo, isatap and 6to4 all enabled..

    If you want to learn and play with ipv6 great.. Go for it and spend a bit of time setting it up correctly and then sure should work just fine.  If not then to prevent troubles then sure its a good idea to disable it.  To me its security 101, you don't leave protocols enabled your not using..  You can disable it on windows with a simple reg key, linux depending on distro can be a bit more difficult but on the other hand I have not seen a linux box not play nice…  They don't have every ipv6 transition method enabled out of the box, so less problems with it from my experience.

    It is the future for sure, how near that future is depends on who you talk too..  I am pretty sure I will be retired from the field before its truely mainstream..  And I have a good 15 years left in me ;)

    Personally vs dicking with quite often not ready for primetime isp deployments I would just go with a tunnel from Hurricane Electric if you want to dip your toes in the ipv6 water ;)  The water is fine, just takes a bit to get use to it... It is quite a bit it different than ipv4, not jut weird looking IP ;)  HE has tests that can help you get you going with it, with practical aspects in setting up ipv6 to accomplish on your way to sage level and your free tshirt ;) https://ipv6.he.net/certification/

    Play with a tunnel for a bit, once you feel comfortable with that then sure you can see how well your isp is doing it..



  • For now, everything is working as required with IPv6 disabled. My family isn't complaining. I won't "fix" what isn't broken.
    Thanks all.


  • LAYER 8 Global Moderator

    well you could always bring up another vlan to play with ipv6 ;)


Log in to reply