Wireless Access

Reply
Occasional Contributor II

Split Tunnel

I followed the guide in my bootcamp manual for setting up a split tunnel SSID, but it is still routing all traffic through the corporate lan instead of routing internet through the local router .  Any help would be appreciated.  I have the following policy rules.  I only have thiss one policy for the role that is assignd to the user. 

 

IPv4 user ru-lan any permit Low
IPv4 ru-lan any any permit Low
IPv4 user any any route src-nat Low
IPv4 any any svc-dhcp permit

 

Eric

 

Guru Elite

Re: Split Tunnel

- The dhcp rule should be at the top

- make sure your ap is configured as a rap

- make sure your virtual ap forwarding mode is split tunnel

- make sure your user actually is in that role

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Split Tunnel

Thanks for the quick response.  The DHCP rule i actually first....for some reason it pasted differently.  My AP is configured as a RAP.  The mode is slit-tunnel.  The user is assigned the role that has this policy.  Is there something else I'm missing?  Am I supposed to get an IP from the corporate Lan or my local network?

Guru Elite

Re: Split Tunnel

You are supposed to get it from Corporate LAN.

 

make your last rule "any any any route src-nat low"


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Split Tunnel

It seems like I did everything I was supposed to.

 

(arubahost1) #show rights remote-test-splittunnel

Derived Role = 'remote-test-splittunnel'

----------------
Position Name Type Location
-------- ---- ---- --------
1 split-tunnel session

split-tunnel
------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-dhcp permit Low 4
2 user ru-lan any permit Low 4
3 ru-lan any any permit Low 4
4 user any any route src-nat Low 4

Guru Elite

Re: Split Tunnel

the only thing now is to confirm that your user is ending up in that role.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Split Tunnel

I get an IP from my corporate Lan.  But when I traceroute to anything on the internet it goes through the corporate Lan still.

Occasional Contributor II

Re: Split Tunnel

Here is the proof that the user is getting that role.  

 

(arubahost1) #show user ap-name eric-home

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
129.85.53.238 00:24:d6:12:a0:2e eric remote-test-splittunnel 00:00:35 802.1x eric-home Associated(Remote) remote-test-splittunnel/6c:f3:7f:63:69:92/a-HT remote-test-splittunnel-aaa_prof split tunnel Win 7

Guru Elite

Re: Split Tunnel

You need to type "show datapath user ap-name <name of ap> table" to see what ACLs your traffic is hitting.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Split Tunnel

(arubahost1) #show datapath user ap-name eric-home table


Datapath User Table Entries
---------------------------

Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user, I - Interim stats,
C - Inactive, D - Suppress Idle TMO, m - IP mobile user anchor
FM(Forward Mode): S - Split, B - Bridge, N - N/A

IP MAC ACLs Contract Location Age Sessions Flags Vlan FM IdleTMO
--------------- ----------------- ------- --------- -------- --- --------- ----- ---- -- -------
192.168.11.1 6C:F3:7F:CE:36:98 2700/0 0/0 0 482 0/65535 P 4095 N 300
10.1.1.204 6C:F3:7F:CE:36:98 2700/0 0/0 0 0 1/65535 P 1 N 300
10.1.1.209 20:02:AF:3A:60:D5 59/0 0/0 0 0 6/65535 1 B 300
129.85.53.238 00:24:D6:12:A0:2E 71/0 0/0 0 0 22/65535 53 S 300
10.9.4.6 00:1A:1E:01:50:80 2703/0 0/0 0 482 0/65535 P 0 N 300
0.0.0.0 00:24:D6:12:A0:2E 71/0 0/0 0 0 0/65535 P 53 S 300
0.0.0.0 20:02:AF:3A:60:D5 59/0 0/0 0 0 6/65535 1 B 300

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: