Controllerless Networks

We have setup IAP 305's at two locations and using the Virtual Controller to configure them.  The guest network has been configured at each location with same configuration but one site will not connect to the internet.  The Access Rules are exactly the same.  We have reset to default configurations several times and recreated the guest network but get the same results.  It connects to the AP but the wifi status on the test laptop shows Connected, No Internet, Secured.  The virtual controller shows the laptop connected. We have tried connecting from multiple pc's and even connected the AP to a different switch.  The AP is confiugred with a Static IP address as well. At a loss at this point as to why we can't get internet access.

If your SSID is setup as "Virtual Controller Assigned", all guest traffic will be natted out of the ip address of the Virtual controller.  That ip address would need to have access to the internet for guest traffic to work...

Set to Network Assigned with a Static Vlan 

---

@lavadour wrote:

Set to Network Assigned with a Static Vlan 

---

Okay.  is there any reason why a client with that ip address range would not be able to get out on the internet?  Do you have the ability to see (trace) traffic from that client on your firewall?

No reason they couldn't access the internet with that IP.  We are actually replacing Unifi AP's with Aruba.  We have set the Aruba's up the same but this one location doesn't work.  We have the access rules configured the same. 

Deny any to network 192.168.0.0.

Deny any to network 172.16.0.0

Deny any to network 10.0.0.0

Allow any to all destinations.

Works at one site but not the other.

Same as our Unifi system at each location

Have you tried it with no restrictions?

Works with no restrictions, can get to everything.  It seems to be when I add the deny 192.168.0.0 is when I loose internet.  Even though all the other site is configured that way and works.

Is your DHCP server or DNS server on that subnet?

We discoverd a DNS issue at this office, thanks for the assistance.

what was your issue? I am having almost the exact same issue as you are and I cannot see where the problem is

Hi Joseph,

Can you help on the same issue, my secnario is little different.

Thanks

To add, the Virtual Controller typically gets a DHCP address to function, but you can configure a Virtual Controller IP address, which will always be assigned to whoever is the Virtual Controller.  That would function as a static ip address that you can use to manage the cluster, regardless of the DHCP address of all of the other cluster members.  This would also allow you to know which ip address to expect the source ip address of the Guest traffic to your firewall.  http://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#CLI_commands/virtual-controller-ip.htm?Highlight=virtual ip address

Hi, I also have problems on my Guest network or even Admin network. I have 10 IAP-305-RW fw 6.5.4.3 default, 1 IAP was setup as VC. My network is just flat /16. All IAP IP's are able to ping to internet. Roles are just set temporarily to unrestricted. If I try to use a Captive Portal or Acknoledgement Splash page it seems that there is a "CERT error" that's why i can't access internet. I tried configuring manually the browsers to trusts site "https://secure.arubanetworks.com" then it succeed, Please help me to resolve this issue on captive portal authentication.

Best Regards,

Kenneth

Attachment(s)

ARUBA.zip   586 KB 1 version

Referring to the original problem in this thread, the problem for me was not DNS related I do not think. 

We had AP's set up in two different locations with same access rules for guest network. However on one network as soon as rules were added (specifically allow http/s except to local subnet) the AP behaved differently, it did not send Guest Wifi traffic directly from the AP's static IP address any longer, but from the Guest device from DHCP range 172.24.31.*. This meant the firewall was blocking the Aruba's Guest devices on this ip range. This was not happening on the first Guest network I set up in the same way. 

I compared the set up on both networks and could not find any difference which would cause this, in the end I changed the structure of the access rules to deny each of the corporate subnets and then allow everything esle as opposed to the 'allow http except to network ....'. So the Aruba AP was NAT'ing the Guest devices on one network but not on the other (I think)

Not sure why one network worked differently to another but the new access rules seems to work in all 3 locations so far.