I was trying to set up a separate Offsite Guest SSID that had it's own Internet connection, now that AOS 6.4.3 has support PBR (policy based routing). That didn't work out so well for me, and I gave up 8 hours later.
Let me describe our current setup:
- Aruba 7030 running AOS 6.4.3.1 behind corporate router and NATing firewall
- Campus APs are both in controller's subnet and other corporate subnets
- default gateway for controller is the corporate router
- SSID & VLAN for corporate traffic, with a Windows server handing out the IPs
- SSID & VLAN for Internal Guest traffic, with the Aruba's internal DHCP server handing out the IPs
- both VLANs are trunked out of port 8 and
- corporate and Internal Guest traffic do not intermingle
We wanted to add another Offsite Guest SSID and VLAN with AP 275's that were set up as Remote APs that did not intermingle with the existing two VLANs, and a separate Internet connection with a public IP on port 7 of the controller.
I did the following:
- built the new WLAN (with SSID)
- built "Offsite Guest" VLAN
- configured the Aruba's internal DHCP server to hand out a new set of private IPs
- configured the "Offsite Guest" VLAN with the .1 of the new set of private IPs
- configured the "Offsite Guest" VLAN to do SNATing
- built "New Internet" VLAN with the new public IP
- Configured port 7 to use the "New Internet" VLAN
- created a PBR ACL matching on the new set of private IPs
- created a nexthop-list routing to the new public IP's default gateway
- applied that PBR ACL to the "Office Guest" VLAN
But that did not work. Clients could get an IP address, but could not ping outside the Offsite Guest VLAN, just the controller's Offsite Guest VLAN's IP.
What did I do wrong? Or is this correct in theory, and should have worked?a