ArubaOS and Controllers

Reply
Contributor I
Posts: 34
Registered: ‎04-27-2009

dst-nat for DNS?

I have a private subnet set up for a guest network. I'm using the controller as the DHCP server for this network. Originally I had entered our enterprise DNS servers (2 of them) in the DHCP scope, but got dinged on security for allowing guests to know our DNS server IP addresses.

I changed the DNS server for the scope to point the controller (172.16.1.1) instead, and I tried setting a firewall rule in the guest access policy like this:
user -> any | service: dns | action: dst-nat port: 53

But if I log into the captive portal on the guest network to test it, I cannot resolve any DNS addresses.

Other factors that could be causing problems:

  • I'm using a master + local + local configuration
  • The DHCP server is on the master
  • The APs are actually terminating to the 2 locals
  • There's a L2 GRE tunnel between each local and the master, tunneling the guest VLAN between them
  • The guest VLAN has source NATing enabled


Anyone have any ideas, or examples of how I should be setting this up?
Guru Elite
Posts: 20,366
Registered: ‎03-29-2007

Give the Public What they want

J.P. just use 4.2.2.2 for the public DNS server and only allow traffic to that, and you're set...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: dst-nat for DNS?

Unfortunately, due to policy I have to use our internal DNS servers.

I did manage to get a bit further though. I changed the rule to specifically use UDP 53, rather than the dns 'service'.

Now on the client firewall report, I can see the UDP 53 request being allowed, and it shows the destination as the correct DNS server. I also see the response coming back from the DNS server to my test client's IP address.

However, I never get a DNS response...so I'm not sure what's going on with it.
Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: dst-nat for DNS?

Looking at the client firewall status, I can see DNS requests from the client to the default router (172.16.1.1), and then I see responses from the REAL DNS server back to the client...but the client never sees the response for some reason...
Guru Elite
Posts: 20,366
Registered: ‎03-29-2007

Dst nat

JP,

So, you are issuing a DNS IP address to the client using DHCP of 172.16.1.1, which is the controller, and then you are destination NATTING the traffic to your INTERNAL DNS server? Destination NAT traffic is sent from the actual controller on behalf of the client, so the controller needs a route to that DNS server. Do you have a route to the DNS server FROM the controller? Can you ping the DNS server from the controller? It needs to be accessible. I'm also not sure why DNS from an inside server is more secure than DNS from an outside server...... Also, what version of ArubaOS are you using? There may be an issue destination NATTING from ArubaOS 3.4.x that you need to be aware of.

If none of these help, please open a support case and tell us the resolution...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: