Purpose
This document provides a structured troubleshooting and analysis procedure for cases where:
Firewall configuration exists
Internet connectivity is functional
DNS resolution is working
VLANs and SSIDs are operational
But traffic between specific interfaces behaves unexpectedly.
Example scenario:
VLAN 1 → 192.168.1.x
VLAN 10 → 192.168.10.x
Devices on these networks cannot communicate even though routing and IP addressing are correct.
The root cause in such cases is usually incorrect firewall policy configuration, such as:
Incorrect interface selection
Improper rule order
Policy conflicts
This is a Layer 3 policy enforcement issue, not a WAN or routing failure.
Scope
This SOP applies to:
Pronto Router (PC61)
Wavespot Cloud Controller
SSID-to-VLAN mapped deployments
Multi-segment retail or restaurant networks
Networks using interface-based firewall rules
Interfaces available in firewall rules include:
SSIDs
VLANs
Any (all interfaces)
This SOP does not apply to:
Full WAN outage
DNS failures
ISP connectivity issues
Background – How Firewall Policy Works
Firewall policies are configured in:
Configure → Firewall Configuration
Each rule contains:
Field | Description |
Source Interface | SSID or VLAN where traffic originates |
Direction | Uni (one-way) or Both |
Destination Interface | Target SSID or VLAN |
Policy | Accept or Deny |
Important Default Behavior
By default:
All traffic between interfaces is allowed
Firewall rules override the default policy.
Example Rule Logic
Example for firewall rule on Pronto environment:
Source: VLAN 30 (Guest)
Destination: VLAN 10 (POS)
Policy: Deny
Direction: Both
Result:
Guest devices cannot access POS network.
Interface Types in Pronto Firewall
The platform allows selection of few interface for the firewall rule:
SSID Interfaces
Examples for SSID's:
GuestWiFi
Open WIFI
HotSpot2
VLAN Interfaces
Example for VLAN's:
VLAN 1
VLAN 20
VLAN 30
Firewall rules apply between these interfaces.
Problem Description
Following can be the issues that staff or operators may report:
Guest Wi-Fi accessing internal servers.
POS cannot reach payment server, Printer, Order Display if connected in different networks
Devices cannot communicate across VLANs.
Certain applications not loading.
However following might occur:
Internet works
DNS works
IP addressing is correct
This indicates a firewall policy conflict.
Common Root Causes
In Pronto environments, firewall issues are often caused by:
Incorrect interface mapping (SSID ↔ VLAN mismatch)
Using “Any” interface unintentionally
Missing explicit Permit rule
Duplicate or overlapping rules
Rule direction misconfigured
VLAN trunk misconfiguration on switch
Incorrect SSID-to-VLAN mapping
Detailed Troubleshooting Procedure
Step 1 – Verify Firewall Rule Creation
Navigate to:
Configure → Firewall Configuration
Verify:
Firewall configuration exists
Correct Source Interface selected
Correct Destination Interface selected
Correct Policy (Accept / Deny) applied
Rule successfully saved
Step 2 – Validate Interface Mapping
Check the following:
SSID → VLAN mapping
VLAN configuration on router
VLAN tagging on switch trunk
Interface naming consistency
Example issue:
Guest SSID mapped to VLAN 20
Firewall rule created for VLAN 30
Result:
Firewall rule will never match the traffic and block/allow the wrong network traffic
Step 3 – Check Rule Direction
Firewall rules support two directions:
Direction | Behavior |
Uni | Traffic blocked only in one direction |
Both | Traffic blocked in both directions |
Example mistake:
Source: VLAN 30
Destination: VLAN 10
Direction: Uni
Result:
Traffic may still pass in reverse direction.
If segmentation required, set Direction = Both.
Step 4 – Review Existing Firewall Rules
On the Firewall Configuration page, review:
All existing rule entries
Source and destination interfaces
Policy type
Direction
Check for:
Duplicate rules
Conflicting policies
Unintended interface selections
Example conflict:
Rule 1:
Source: Any
Destination: Any
Policy: Accept
Rule 2:
Source: VLAN 30
Destination: VLAN 10
Policy: Deny
Rule 1 overrides rule 2.
Step 5 – Verify VLAN Segmentation
Confirm:
VLANs created on router
VLAN tagging working on switch trunk
Correct access VLAN on device ports
If VLAN tagging incorrect, firewall rules cannot match traffic properly.
Advanced Issue Scenarios
Scenario A – Incorrect Interface Mapping
Cause:
Firewall rule referencing wrong SSID or VLAN.
Example:
Rule: VLAN 20 → VLAN 10 Deny
Actual guest VLAN = 30
Resolution:
Recreate rule with correct interface.
Scenario B – Direction Misconfiguration
Reason for the cause:
Rule configured with Uni direction.
Resolution step for the issue:
Change direction to Both.
Scenario C – Using “Any” Interface
Cause:
Firewall rule created using Any → Any Accept.
Result:
Segmentation rules ignored.
Resolution:
Use specific interfaces only.
Validation After Resolution
Confirm the following:
Intended traffic is allowed
Restricted traffic is denied
VLAN segmentation working correctly
Captive portal functioning normally
POS transactions successful
No unexpected cross-network access
Test communication from both networks.
Preventive Measures
To prevent firewall policy issues:
Avoid using “Any” interface unless necessary
Document every firewall configuration change
Audit firewall rules quarterly
Maintain consistent SSID-to-VLAN mapping
Validate rule direction before saving
11 Escalation Guidelines
Escalate to Network Team if:
VLAN tagging incorrect
Switch trunk misconfiguration suspected
Inter-VLAN routing conflict identified
12 Quick Diagnostic Summary
If traffic behaves unexpectedly but internet works:
Verify firewall rule interfaces
Check rule action (Accept / Deny)
Validate rule direction
Avoid misuse of Any interface
Test bidirectional communication
Confirm VLAN segmentation working
