Amazon fire blocked by USG 60 W?

Dovetail_MD

I'm having trouble with the Amazon fire that we use to play films etc in the office out of hours.

When we tried to start it last night it was complaining it couldn't resolve either the fixed IP address it had been given (plus full domain credentials) and it would not work over Wi-Fi either.

Is it possible how USG 60 W is blocking something that this thing needs?

I've got no idea where to look

Alfonso

Hi @Dovetail_MD

I suggest analyzing logs on USG60.

If flows to Amazon are permitted I do not believe the device is blocking the requests.

You said that it is possible that Amazon fire could not resolve the IP address. Why  do you believe it? Is the policy on USG blocking some kind of DNS requests?

Regards 

Dovetail_MD

Yeah - I'm wondering if there is a DNS thing separate from the blocking thing.

As the DNS is inboard from the Zyxel there should be a disconnect between making a fixed IP connection to the network and making a connection to the Internet where the latter requires DNS authorisation - however that fixed IP address is in the reverse look-up on the DNS server and has full security permissions.

But that doesn't answer the question as to why the Amazon Fire cannot resolve a wireless address when other devices using that wireless can resolve one.

A puzzle for the weekend!

Dovetail_MD

Sorry PS - there are no records pertaining to the particular fixed IP address in the Zyxel logs - and I've got no idea which DHCP address the device was trying to use even if it actually got one

Zyxel_Emily

Hi @Dovetail_MD,

 

Try to enable IP/MAC binding and configure IP and MAC address for Amazon fire.

After Amazon fire is connected to USG60W's SSID, configure 8.8.8.8 in DNS on Amazon fire.

Then monitor the logs and see if there are any blocked logs with this IP.

Dovetail_MD

Good afternoon,

Thank you for your detailed response but if I'm right you are assuming that we are using DHCP on the Zyxel - and that the Fire device is using DHCP ?

So if I'm right about what you are saying above both are wrong;

1)  We have a separate DHCP server - we do not use DHCP on the Zyxel as it seems to mess up the iSCSI bindings on the data storage box we use that is connected to our NAS boxes - the storage box has both a fixed IP and DHCP addresses for iSCSI and the Zyxel when providing these screws up Windows server security by binding to the DHCP on the storage box

2) The Fire device is not using DHCP - it is using a fixed IP address which we can see in our domain server as being present and authorised -  and this server runs DNS - that is why the Fire has network access but not Internet access 

There are no log entries in the LAN for the fixed IP address we have given to the Fire box that I can see

Thank you for your continuing help 

Dovetail_MD

And I have just done another test - the preceding device to the USG60W was a Draytek 2925AC - so it occurred to me that I should put the Draytek back into the system as the gateway device and see what happened.

And lo and behold the Amazon Fire is now connected to the Internet as well as to the network - so something in the USG60W is blocking the Amazon Fire  - any ideas team?

Zyxel_Emily

Hi @Dovetail_MD,

 

Could you share the topology with us including USG60W, Draytek 2925AC, DHCP server, domain server, Amazon Fire and other device/server?

How about the traceroute result on Amazon Fire?

Besides, Amazon Fire uses fixed IP address. If you try to set 8.8.8.8 as the DNS server, can Amazon Fire access the Internet?

Dovetail_MD

Hi Emily,

Our network setup is very simple.

The USG60W and Draytek 2925AC are alternates with the former replacing the latter in order to save some money with our external spam washing service and get an easier machine to operate.

Either provides our gateway to the Internet, using NAT with whatever protections run on the USG60W

As I said the Amazon Fire works as in gets an Internet connection as opposed to a network connection when the Draytek 2925AC is the gateway but not when the USG60W is the gateway.

This device is our gateway to the Internet and in board of that there are intelligent switches which connect the other devices together including two virtual machines that run domain services, another which runs DHCP and some data storage plus the workstations we use to get access to network resources and the inter-web into web through the gateway.

Wi-Fi is provided by an extension box which dishes out Wi-Fi addresses against a range provided on our DHCP server

Hope that helps?

Dovetail_MD

Hmm  - popped back for a look - no response?

Zyxel_Emily

Hi @Dovetail_MD,

 

It is difficult to find out the root cause without a graphical draw of your topology and the settings on the USG60W or any block/abnormal logs on USG60W.

Besides, is there any special settings on USG60W? Is the traffic blocked when using the default configurations? How about the security policy rule is disabled?

 

Can you share the topology with us including USG60W, Draytek 2925AC, DHCP server, domain server, Amazon Fire and other devices/servers?

For example:

ISP------Draytek 2925AC----USG60W ) ) ) ) Amazon Fire

Where is the DHCP server and domain server located in the topology?

 

"The Amazon Fire works as in gets an Internet connection as opposed to a network connection when the Draytek 2925AC is the gateway but not when the USG60W is the gateway."

When it works in such topology without USG60W, is the topology the following one?

ISP------Draytek 2925AC ) ) ) ) Amazon Fire