This article shows how to troubleshoot your access point or switch if you have any issues/problems with traffic. It shows how to port mirror on a Nebula switch, packet trace/capture on an access point (AP) and firewall/gateway in Nebula CC.
Please note: We do not recommend executing any configurational commands via SSH onto your Nebula devices! We also cannot support cases, in which this has happened!
1) Port Mirroring
Port mirroring allows you to trace packets coming into a switch port - it basically copies the traffic and sends it to both the initial destination as well as the "Mirror Port" - here. you can use a packet-tracing software such as WireShark in order to track down traffic in your network. This is a powerful tool when it comes to analyzing and debugging network issues. Please follow the below steps to set up Port Mirroring:
Note: There is a limitation on the NCC (Network Control Center) where a mirror source port can only be configured to monitor a maximum of three switch ports as maximum.
1. Log in to your Nebula Account via https://nebula.zyxel.com
2. Navigate to
Configure -> Switches -> Switch Settings
3. Find
Port mirroring
and click on
Add
4. Select the Switch and which port(s) you want to have monitored. Also, choose a destination port. Source Port indicates the port where the traffic is coming from initially, while the Destination port indicates the port you will be tracking on.
5. Save the settings.
6. Open Wireshark
7. Select the network adapter your using (WiFi or Ethernet) and filter your packets
Filter your traffic you want to capture, for example:
multicast and broadcast
host 192.168.1.33
port 443
Later on you can filter after you've captured the packets as well by using e.g.:
ip.addr==192.168.1.1
ip.proto 50
icmp
8. Capture
9. Save the file and analyze / Send for analysis
2) Packet Capture
2.1 For Firewall - Using Web GUI
Navigate to Maintenance -> Packet Capture and choose the interface you want to capture (e.g. LAN traffic/WAN traffic). You can also filter the traffic, based on Host IP address or Host Port. Then click capture to start the packet capture.
2.2 For Firewall - Using CLI/SSH
In Nebula, the USG FLEX / ATP Series are using an SD-WAN structure, which is mostly VLAN-based. E.g. if you want to capture packets on the lan1 interface, you need to find out which VLAN that the firewall is using for lan1 by entering the command:
show sdwan interface
In our example below, Nebula is using VLAN3718 for the lan1 interface.
To do a packet trace on lan1 and capture HTTPS traffic, enter the following command:
packet-trace interface vlan3718 port 443
To do a packet trace on lan1 and capture traffic from a specific host PC, enter the following command:
packet-trace interface vlan3718 src-host 172.16.3.102
2.3 For Access Points - Using CLI/SSH
The Access Points in Nebula cannot do a packet trace locally. If you want to do a packet capture of an Access Point, you need to access the device locally from a PC and use Section 3 to login to device via SSH.
Devices -> Switches
For the access points in Nebula, the bands are divided into two groups wlan-1-1 (2,4 GHz) and wlan-2-1 (5 GHz).
If you want to capture HTTPS traffic on clients that are connected to 5GHz, please use the following command:
packet-trace interface wlan-2-1 port 443
If you want to capture traffic from a specific client that are connected to 2,4GHz, please use the following command:
packet-trace interface wlan-2-1 src-host 172.16.3.102
2.4 On NSG
- Allow the device to respond to HTTPS & SSH service from WAN-Side (in this case, we select "any).
- You can find this Menu via
Security Gateway > Configure > Firewall > Web services
- Then access the NSG via its public IP address via WAN:
- Navigate to the respective Menu and activate "Allow WAN to Device" and add the source IP addresses you want to allow to access via SSH:
Configuration > SSH
- You now should be able to access your NSG via SSH - Congratulations!
interface: Ethernet interfaces (e.g. wan1, lan1 etc.)
port: the service you want to capture (443 (HTTPS), 80 (HTTP) etc.)
ip-proto: the protocol you want to filter (e.g. ping)
src-host: the source where the packets come from (e.g. from the server (192.168.1.3) to the destination: any)dst-host: the destination where the packets are going (e.g. to the server (192.168.1.3) from the source: any)