Controllerless Networks

I've been claiming that I can do this for some time, and the techs have finally called my bluff; so I'm coming to the community to see what I can actually do, and whether I'll be eating crow.

We have a wireless desktop PC set up for guests to access the Internet in order to fill out work-applications etc. It's got a device certificate and we're using EAP-TLS for maching authentication to an SSID (Hire) specific to this use. Currently it's in VLAN100 (192.168.100.x) and has access to the Internet through our edge router.

We use VLAN30 (10.10.30.x) to manage the iAP and VLAN2 (10.10.2.x) to connect wired internal devices, but can't get to VLAN100 from the inside.

My techs want to be able to administer the Hiring Kiosk remotely (over VLAN2 or 30) and they would like the Kiosk to be able to print to VLAN2 printers.

I think I can do the printing to VLAN 2 by allowing the printer's IP in the ACL for Hire role and setting up a NAT.

How do I allow the other direction? 

I'm thinking I'm going to have to move the Hire desktop to VLAN2 and NAT back to VLAN100, but the iAP doesn't have an IP address in VLAN100 and I'm confused now.

If you're still reading this, have you got any ideas?

Just so I've got this clear in my head, by "printing" you'll be sending traffic from VLAN100 to VLAN2. Then traffic initiated in the opposite direction, from VLAN2 to VLAN100 is what you are trying to achieve?

What is the default gateway for VLAN2?

I've been messing around in the lab and I think I'm asking the iAP to be something its not.

I want it to have an address in the management VLAN and at least one of two guest VLANs - so it can be the firewall and router for a device in one VLAN which needs to pass traffic to the other (with NAT) to access the Internet.

I think I need a firewall, a router AND a swarm of iAP to get where I need.