DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Staff Mobiles on Public Wifi in Office
- greenwood-it
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
26 Sep 2018 09:50 #93049
by greenwood-it
Staff Mobiles on Public Wifi in Office was created by greenwood-it
Hi folks,
I'm looking for some "best advice" on a situation that's confused me
I have a 2862 setup in an office with two VLANs;
VLAN0: 192.168.0.x setup for the office machines which includes an IMAP email server. External port forwarding for SMTP/IMAP is all working fine.
VLAN1: 192.168.1.x setup as a public hotspot with client isolation.
Staff mobiles (BYOD) are connected to VLAN1 and have full access to the internet, but they can't send or receive emails from the office server. They can send/receive if connected on VLAN0 or are outside of the building - so I'm assuming a routing issue.
I've setup a mail.businessname.uri in external DNS as well as a LOCAL DNS entry on the router to point to the 192168.0.x server address.
I understand that the VLAN1 clients "should" be resolving to the routers external IP address (they can't see VLAN0 directly), but for some reason this isn't working - so, any suggestions as to what I'm doing wrong or how better to set things up?
Chat soon.
I'm looking for some "best advice" on a situation that's confused me
I have a 2862 setup in an office with two VLANs;
VLAN0: 192.168.0.x setup for the office machines which includes an IMAP email server. External port forwarding for SMTP/IMAP is all working fine.
VLAN1: 192.168.1.x setup as a public hotspot with client isolation.
Staff mobiles (BYOD) are connected to VLAN1 and have full access to the internet, but they can't send or receive emails from the office server. They can send/receive if connected on VLAN0 or are outside of the building - so I'm assuming a routing issue.
I've setup a mail.businessname.uri in external DNS as well as a LOCAL DNS entry on the router to point to the 192168.0.x server address.
I understand that the VLAN1 clients "should" be resolving to the routers external IP address (they can't see VLAN0 directly), but for some reason this isn't working - so, any suggestions as to what I'm doing wrong or how better to set things up?
Chat soon.
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank you received: 0
30 Sep 2018 22:36 #93079
by admin
Forum Administrator
Replied by admin on topic Re: Staff Mobiles on Public Wifi in Office
This is a guess:
If you resolve to an IP address which is the same as the public IP address you're using then the traffic can't actually route onto the network, it has to be looped back by the router onto the LAN internally... but by separating the VLANs, there's a conflict. On the one hand, you are saying, don't allow VLAN1 and VLAN0 to speak to each other... and then wanting them do, so perhaps the behavior is to respect your assumed deliberate setting.
Maybe you need to allow interlan routing but block all with a filter except mail traffic (25/443 or whatever).
If you resolve to an IP address which is the same as the public IP address you're using then the traffic can't actually route onto the network, it has to be looped back by the router onto the LAN internally... but by separating the VLANs, there's a conflict. On the one hand, you are saying, don't allow VLAN1 and VLAN0 to speak to each other... and then wanting them do, so perhaps the behavior is to respect your assumed deliberate setting.
Maybe you need to allow interlan routing but block all with a filter except mail traffic (25/443 or whatever).
Forum Administrator
Please Log in or Create an account to join the conversation.
- albertosaurus
- Offline
- Junior Member
Less
More
- Posts: 12
- Thank you received: 0
24 Sep 2020 15:05 #97256
by albertosaurus
Replied by albertosaurus on topic Re: Staff Mobiles on Public Wifi in Office
I have a similar issue on v2860 and v2862 and would like to use your recommended solution: allow traffic between the VLANs and then lock it down further with filter rules. I am using Firewall >> Filters of direction 'LAN/DMZ/RT/VPN -> LAN/DMZ/RT/VPN' but they don't seem to be acting. All traffic is allowed through. If I use the Filter >> Diagnose feature to test 192.168.2.11:80 -› 192.168.1.1:80 it assumes the WAN and (unsurprisingly) shows it would be Blocked, whereas in practice all traffic between LAN 1 and LAN 2 is being allowed. How can I filter traffic selectively between VLANs or between Subnets?
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek