@abowen500 wrote:
Thanks. I think I'm beyond that for the moment, not sure if you saw my previous reply. I've now turned off source nat on the guest vlan interface.
I have a nat pool configured with an appropriate address for my dmz, my dmz firewall has been updated with appropriate rules.
On the master controller, I've created a server auth group with server rules to assign my test client to a specific role. That specific role has a policy that says to source nat to the dmz nat pool. When I look at the specific role on the local controller, that particular policy has 0 rules in it. Is that normal? The local controller has an interface connected to the dmz and configured with an ip address in my dmz range. The master does not.
Is there a best practice for source natting to a different interface (other than management interface)? And while I'm asking, this is going to be for a larger audience than guests and I'd prefer to source nat to multiple addresses. Can I create server rule that matches to a range of addresses or subnet? Thanks again.
Why would you need a server rule for a guest network? What are you attempting to match? The priority is first get traffic to pass so that you can even get DNS to resolve, which is essential for the Captive Portal to come up. No Captive Portal = No guest network. Getting the portal to come up is the priority.
With regards to the DMZ, you might want to have that DMZ controller's default gateway be the next hop to the internet, and have static routes to anything else internal.