Correct on all counts.  Users in the main office will be able to ping clients on APs in the remote office, because they will have routable ip addresses, assigned from the datacenter.

Thank you. Should the most up-to-date info be in the knowledge base? Or do you have a URL to a guide I should use? If I run into something that looks different in my setup, shall I let you know in this thread?

It has not changed in years.  You would need to make sure:

- The access point is configured as a remote AP (required for split tunneling)

- The Virtual AP is configured as Split-Tunnel

- The user role assigned should look like this:

any any service dhcp permit

any network corpnetwork any permit

any any any route src-nat

The first rule permits dhcp which is essential

The second rule detects any traffic going back to the corporate network and permits it back through the tunnel

The third rule is a catch all for anything that is not destined to corporate and source-nats it out of the ip address of the RAP.

yay, I got it to work :) Thanks for the help.

There's a CRUCIAL mistake in the Understanding Split Tunneling guide (http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Remote_AP/Split_Tunneling.htm). It says at step 13e: Under Action, select ANY and check src-nat. This is not correct! It should be ROUTE and check src-nat. It lead me to chosing the action 'src-nat' (wich asked me to define a nat pool), wich is not correct either.

8e: says to enter the public IP of the controller. But it should be the IP of the network(s) you're trying to tunnel.

Some guides are saying I need to add an allow-all firewall-policy to the user-role, but doesn't seem neccessary.

Making the Port Wired AP profile 'trusted' wasn't needed either. (wasn't in a guide, but I remember it being needed when I was doing a different config).

What I don't understand yet is the Defining Corporate DNS Servers part. What does it do exactly? My DHCP hands out a corporate DNS-server in the range that is tunneled and it works. Why would I add DNS Server names in the Corporate DNS part? It it meant to be used when your DNS server is not in the range that gets tunneled?

eriknl2,

Thank you.  We ill get that fixed.

Eriknl2,

I got work that the link is fixed.  Please check the link...

Yes. Seems fixed. Thank you.

Other question: when I reboot a machine connected to a split tunnel rap, it doesn't seem to connect. Only if I pull the network cable for a while and plug it back in, then it starts working again. Sometimes. Not always.

What am I doing wrong? Windows says DHCP times out. I don't see the machine getting a user-role or anything.

Machine is running windows 8.1. Connected with wire to RAP2, same thing happens with RAP3.

Edit: if I disable mac authentication and set the Initial Role to the split-tunnel user-role, then it works. So it must be a problem with mac authentication I guess?

Normally, I have initial role set to denyall. And I have MAC Authentication Default Role set to the split-tunnel user-role. Also, in the internal database, I have set the role for the mac address to the split-tunnel user-role. Should I use something else instead of denyall? Like guest? Im also using denyall on the normal (not split) tunnels and that seems to work fine.