Wireless Access

Reply
Occasional Contributor II
Posts: 18
Registered: ‎06-19-2014

Split tunnel Src NAT

Hello guys,

 

I am trying to understand the logic behind the "route src nat" in the RAP split tunnel configuration.

As I understand:

- Once the user has been authenticated and placed in the "Post authentication" role, his traffic is source natted by the AP.

 

My first question is : is it possible to just route the traffic locally without having to source nat it (I would like to have a local dhcp server and local router for the user VLAN for instance)?

 

I have a setup with a RAP connected to a remote controller and configured in split tunnel + src nat. the user traffic is tagged with VLAN100. I have configured a DHCP server and VLAN interface for VLAN100 on the controller for testing purposes, I set the default router to the VLAN interface IP address of the controller. Everything worked fine, the user got authenticated and could browse.

Then, I was wondering what if I changed the default router IP in the dhcp scope to a non reachable IP (as the traffic is src nated anyway, I did not see why would we need a default router in another subnet as the APs' one) = it does not work, the user was still authenticated but no Internet.

 

Does anyone knows how the traffic is flowing in this kind of setup.

 

Many thanks for your help

Regards,

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Split tunnel Src NAT

[ Edited ]

Edit

 

Route-SRC Nat was designed specifically to provide web filtering to clients on a RAP by forwarding their traffic to a specific provider using this rule.

 

If you want clients to receive an ip address from a local subnet, you should make the forwarding mode to bridge(d).  They will receive an ip address and send traffic locally.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎06-19-2014

Re: Split tunnel Src NAT

Thank you Colin,

 

In fact, I am in a situation where I want to do captive portal authentication using RAPs (for remote sites).

I have read that the only way to do it is via Split tunnel mode (tunnel captive portal, dns, dhcp) and route src nat the other traffic.

I understand that I should tunnel the traffic in Pre authentication stage, however I would like to be able to route it locally (send it to the local router for NAT and routing) once the user is authenticated and not SRC nat it by the AP.

Would that be possible?

 

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Split tunnel Src NAT

I misspoke.  Route DST-NAT is what is used for filtering.  Route SRC-NAT should be use for Split Tunnel Captive Portal.

 

Please see the post here on how to configure split tunnel captive portal:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-825



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎06-19-2014

Re: Split tunnel Src NAT

Thank you Colin,

 

And as I understand, when using route src-nat, the IP address of the AP is used to source NAT the user traffic.

 

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Split tunnel Src NAT

Correct. Just like source nat.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎07-02-2015

Re: Split tunnel Src NAT

I noted that when route src-nat has been used for split tunnel mode.

The AP's IP (used for IPsec tunnel back to controller, let say vlan 50) will be used for src-nat which can be changed for "route" policy to just passing traffic using guest IP(guest vlan subnet, vlan 999).

 

And I found out via pcap that AP is actually pass the traffic to the AP's IP vlan 50 with the AP's subnet Gateway MAC replaced for dest. MAC

 

However, I have tried to configure the Wired AP profile to change the trunk configuration with no LUCK. And for my understanding it is related to only APs with eth socket and the configuration on that port. 

 

My testing AP is a pretty old model 61 with only one eth for all upstream data and no console is available on that AP.

 

I hope there maybe someone could give me some tips here?

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Split tunnel Src NAT

What are you trying to do?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎07-02-2015

Re: Split tunnel Src NAT

I am trying to take advantage from split tunnel mode for my captive portal enabled SSID.

And all the traffic from Guest VLAN should route locally at remote site (with Guest's IP not the src-nat). That could make more controll on remote site firewall to manipulate remote site client network use.

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Split tunnel Src NAT

[ Edited ]

Split-tunneling is only designed for traffic to be tunneled back to the headend (controller) or source-natted out of an AP.  It is not designed to bridge traffic, because a split-tunneled user only has a headend ip address (tunneled).  It does not have an ip address if traffic is simply bridged.  That it is why for split tunneled traffic, it must be source-natted to pass beyond the access point.  At that point, it takes the ip address of the remote AP as its source ip address.  You cannot bridge split-tunneled traffic...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: