Just implemented a new site with a USG and having a few issues.
Our setup is:
SSID 1 - corporate - radius authentication/WPA Enterprise - network LAN
SSID 2 - roaming - radius authentication/WPA enterprise - network internet only
SSID 3 - Guest WiFi - open network - guest policy ticked for guest portal - network - internet only
SSID 4 - Test - open network - internet only
Networks:
Internet only - 192.168.5.1/24 - purpose as guest - vlan 5 - DNS specfied
LAN - 172.26.100.1/24 - purpose as corporate - no vlan - DNS specified
2 IPSec VPN’s in site to site config
WAN - DHCP
Corporate side is working fine, wired and wireless.
We do have 2 internet only VLAN’s 192.168.5.1/24 and 192.168.6.1/24 but same issue on both and eventually it will be 1.
I can connect to both SSID’s roaming and Guest WiFi, on roaming I can ping addresses, send email using port 25 but no HTTP/HTTPS. Guest WiFi appears to be working now as I get guest portal and authenticate but earlier neither would.
I’ve rebooted but no joy either. So issue like with my config. On firewall and in guest in I have created an ANY- ANY rule at the top but nothing.
Any suggestions? We don’t have many sites using the USG setup and potentially the issue may be at others but we are going live with a new site and cannot get this working, doesn’t hold things up as corporate is ok. Just nothing stands out as to the issue. All our other Unifi sites use Watchguard so there is no issue with the VLAN so to be points to be a USG config but allowing on firewall thought it would fix it.
Question, beside the USG, are the AP’s and switching Unifi also? The reason I ask it seems to be a port profile issue blocking connections. Unifi has a untagged vlan, vlan 1. Which subnet is that attached too? Typically gets configured to the management lan which the controller and hardware reside. So your port profile for the switches would have the AP’s lan as the native, then tag you other lan’s that require wifi access that are being broad casted by the AP’s. Not knowing your setup that is where I would start. Also when using Unifi guest portal, by default it isolates clients and ports.
Yes full Unifi AP Pro and 16 port switch. Port profile set on the switch as necessary, although I wonder if that is the issue I’ve got as I’m using it with the AP straight into USG without switch. Will check again on site. The one I’m having most issue with is the roaming one which is open and not got guest policies attached to it in the portal sense but the network is set to guest type same as our open but not the tick box.
If I get chance to pop to site tomorrow with a switch I will have a look but I’m on leave for a week after just needed something as been battling at this all day testing in the limited way I can here at home with the kit I have.
Will update when I have been to site. Thanks for your advise.
A further update to this, we have 20 or 30 sites within our controller all setup the same minus IP details, changing the guest network to the corporate that SSID then gets the corporate range but when its on guest it doesn’t want to know.
I have upgraded firmware versions to match known working sites and made no difference, the guest portal works on other sites but not these and another site that was created at the same time is working with no issues. Majority of sites use other firewalls and not Unifi but another new site that is none USG doesn’t want to play ball but that is setup and working, all that has changed there is the WiFi from Aruba to Unifi.
I turned the guest portal off and internet works ok so something related to that but cannot find what is stopping it as nothing like I say is any different to other sties.
@MattL, not sure I am understanding your issue fully. If you could elaborate or give further specific details. I don’t use open networks even for guests or the captive portal. However use separate SSID’s for guest and Corp networks.
4 SSID’s
Corporate with radius authentication gets 172.26.10.0/24 - different range for each site
Open WiFi (guest) to a guest portal gets 192.168.6.0/24 - purely internet VLAN local to each site
Open WiFi (guest) with radius authentication gets 192.168.5.0/24 - purely internet VLAN local to each site
The 2 Open WiFi on some sites are on the same VLAN but just provides different internet for differnet purposes.
On the 2 guest VLAN’s which are setup at many other sites and working a few new sites setup this doesn’t work, can get an IP address but no internet access. Set the SSID to give a corporate address and it works fine, disable the guest portal on these and that also works fine.
Have upgraded and degraded firmware on AP’s to no joy so something config related. Some times have Watchguard others have a USG (which was where the issue was first found).
We must have 20 other sites working but recent ones do not want to work internet wise on the open WiFi, can ping out but cannot browse anything.
Just want to confirm… as I am trying to duplicate your setup in my lab. What controller version are you running and what firmware on the usg?
Using open guest with, guest portal? (no Auth, hotspot, Facebook wifi or external server)? Or using guest hotspot with radius Auth?
Setting up just as an open (not secure) guest network, with guest policies checked I was unable to access the web or get past the gateway, until I manually entered dns servers, used 1.1.1.1 / 1.0.0.1. Do the networks have dns firewall rules? Only certain dns severs can get out?
I think I have got to the bottom of the issue. If I delete all the SSID’s in the classic shell and recreate in the new one it would appear to work, although not all options are available if I switch back to classic then it seems to be fine. When a colleague mentioned it I recall something when the new shell was released on similar topic of issues but cannot find the details to back it up.