Skip to main content

Firewall Advanced Configuration Issues

R
Written by Rohit Yadav

Purpose

This document provides a structured troubleshooting and analysis procedure for cases where:

  • Firewall configuration exists

  • Internet connectivity is functional

  • DNS resolution is working

  • VLANs and SSIDs are operational

But traffic between specific interfaces behaves unexpectedly.

Example scenario:

VLAN 1 → 192.168.1.x
VLAN 10 → 192.168.10.x

Devices on these networks cannot communicate even though routing and IP addressing are correct.

The root cause in such cases is usually incorrect firewall policy configuration, such as:

  • Incorrect interface selection

  • Improper rule order

  • Policy conflicts

This is a Layer 3 policy enforcement issue, not a WAN or routing failure.

Scope

This SOP applies to:

  • Pronto Router (PC61)

  • Wavespot Cloud Controller

  • SSID-to-VLAN mapped deployments

  • Multi-segment retail or restaurant networks

  • Networks using interface-based firewall rules

Interfaces available in firewall rules include:

  • SSIDs

  • VLANs

  • Any (all interfaces)

This SOP does not apply to:

  • Full WAN outage

  • DNS failures

  • ISP connectivity issues

Background – How Firewall Policy Works

Firewall policies are configured in:

Configure → Firewall Configuration

Each rule contains:

Field

Description

Source Interface

SSID or VLAN where traffic originates

Direction

Uni (one-way) or Both

Destination Interface

Target SSID or VLAN

Policy

Accept or Deny

Important Default Behavior

By default:

  • All traffic between interfaces is allowed

  • Firewall rules override the default policy.

Example Rule Logic

Example for firewall rule on Pronto environment:

Source: VLAN 30 (Guest)
Destination: VLAN 10 (POS)
Policy: Deny
Direction: Both

Result:

Guest devices cannot access POS network.

Interface Types in Pronto Firewall

The platform allows selection of few interface for the firewall rule:

SSID Interfaces

Examples for SSID's:

GuestWiFi
Open WIFI
HotSpot2

VLAN Interfaces

Example for VLAN's:

VLAN 1
VLAN 20
VLAN 30

Firewall rules apply between these interfaces.

Problem Description

Following can be the issues that staff or operators may report:

  • Guest Wi-Fi accessing internal servers.

  • POS cannot reach payment server, Printer, Order Display if connected in different networks

  • Devices cannot communicate across VLANs.

  • Certain applications not loading.

However following might occur:

  • Internet works

  • DNS works

  • IP addressing is correct

This indicates a firewall policy conflict.

Common Root Causes

In Pronto environments, firewall issues are often caused by:

  • Incorrect interface mapping (SSID ↔ VLAN mismatch)

  • Using “Any” interface unintentionally

  • Missing explicit Permit rule

  • Duplicate or overlapping rules

  • Rule direction misconfigured

  • VLAN trunk misconfiguration on switch

  • Incorrect SSID-to-VLAN mapping

Detailed Troubleshooting Procedure

Step 1 – Verify Firewall Rule Creation

Navigate to:

Configure → Firewall Configuration

Verify:

  • Firewall configuration exists

  • Correct Source Interface selected

  • Correct Destination Interface selected

  • Correct Policy (Accept / Deny) applied

  • Rule successfully saved

Step 2 – Validate Interface Mapping

Check the following:

  • SSID → VLAN mapping

  • VLAN configuration on router

  • VLAN tagging on switch trunk

  • Interface naming consistency

Example issue:

Guest SSID mapped to VLAN 20
Firewall rule created for VLAN 30

Result:

Firewall rule will never match the traffic and block/allow the wrong network traffic

Step 3 – Check Rule Direction

Firewall rules support two directions:

Direction

Behavior

Uni

Traffic blocked only in one direction

Both

Traffic blocked in both directions

Example mistake:

Source: VLAN 30
Destination: VLAN 10
Direction: Uni

Result:

Traffic may still pass in reverse direction.

If segmentation required, set Direction = Both.

Step 4 – Review Existing Firewall Rules

On the Firewall Configuration page, review:

  • All existing rule entries

  • Source and destination interfaces

  • Policy type

  • Direction

Check for:

  • Duplicate rules

  • Conflicting policies

  • Unintended interface selections

Example conflict:

Rule 1:
Source: Any
Destination: Any
Policy: Accept

Rule 2:
Source: VLAN 30
Destination: VLAN 10
Policy: Deny

Rule 1 overrides rule 2.

Step 5 – Verify VLAN Segmentation

Confirm:

  • VLANs created on router

  • VLAN tagging working on switch trunk

  • Correct access VLAN on device ports

If VLAN tagging incorrect, firewall rules cannot match traffic properly.

Advanced Issue Scenarios

Scenario A – Incorrect Interface Mapping

Cause:

Firewall rule referencing wrong SSID or VLAN.

Example:

Rule: VLAN 20 → VLAN 10 Deny
Actual guest VLAN = 30

Resolution:

Recreate rule with correct interface.

Scenario B – Direction Misconfiguration

Reason for the cause:

Rule configured with Uni direction.

Resolution step for the issue:

Change direction to Both.

Scenario C – Using “Any” Interface

Cause:

Firewall rule created using Any → Any Accept.

Result:

Segmentation rules ignored.

Resolution:

Use specific interfaces only.

Validation After Resolution

Confirm the following:

  • Intended traffic is allowed

  • Restricted traffic is denied

  • VLAN segmentation working correctly

  • Captive portal functioning normally

  • POS transactions successful

  • No unexpected cross-network access

Test communication from both networks.

Preventive Measures

To prevent firewall policy issues:

  • Avoid using “Any” interface unless necessary

  • Document every firewall configuration change

  • Audit firewall rules quarterly

  • Maintain consistent SSID-to-VLAN mapping

  • Validate rule direction before saving

11 Escalation Guidelines

Escalate to Network Team if:

  • VLAN tagging incorrect

  • Switch trunk misconfiguration suspected

  • Inter-VLAN routing conflict identified

12 Quick Diagnostic Summary

If traffic behaves unexpectedly but internet works:

  • Verify firewall rule interfaces

  • Check rule action (Accept / Deny)

  • Validate rule direction

  • Avoid misuse of Any interface

  • Test bidirectional communication

  • Confirm VLAN segmentation working

Did this answer your question?