Wireless Access

Reply
obi
Contributor II
Posts: 45
Registered: ‎08-28-2008

Trouble with routing traffic trough controller straight to Internet

[ Edited ]

I'm trying to create open guest network (transformed to captive portal later) where traffic is source natted trough controllers wan vlan interface. I have enabled "ip nat source" for the guest vlan and I'm using default guest role as initial role. Traffic seems to go trough but clients gets no data back. 

 

From session table:


Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
172.17.0.251 8.8.8.8 17 51496 53 0/0 0 96 0 tunnel 15 13 FSCI
172.17.0.251 8.8.4.4 17 29844 53 0/0 0 96 0 tunnel 15 e FSCI

 

Do I need something extra? Internet connection is trough static IP assigned to another vlan. I have applied firewall rule set for this vlan, restrictin incoming ports to NATT and management, does it affect? (And interface is marked as a untrusted)

 

Controller is A620 with 6.1.2.5 OS and AP-105 as a RAP. 

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Trouble with routing traffic trough controller straight to Internet

You need to make sure that the default gateway for the controller is the upstream WAN router.  And then you then need to create static routes for internal networks and point them to an internal router.  IP nat inside or source nat will follow the internal routing table of the controller;  you need to change it to make sure that external traffic routes out that WAN interface of the controller for it to work.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

obi
Contributor II
Posts: 45
Registered: ‎08-28-2008

Re: Trouble with routing traffic trough controller straight to Internet

I got only default route which points to WAN router. I can remotely access controller, RAP can remote connect and ping tests from controller works. 

 

For some reason these sites I try to access appear on Clients? AP name is the port WAN is connected and the got logon role assigned?

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Trouble with routing traffic trough controller straight to Internet

Do you have an ACL on the WAN port, or is it untrusted?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

obi
Contributor II
Posts: 45
Registered: ‎08-28-2008

Re: Trouble with routing traffic trough controller straight to Internet

Port is marked as a untrusted and WAN VLAN Firewall Policy is applied. No Firewall Policy for the port though. 

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Trouble with routing traffic trough controller straight to Internet

[ Edited ]

It should be marked as trusted, but you should apply an ACL that only allows nat-t inbounds for RAPs:

 

According to the Article here:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Connect-your-Aruba-Controller-to-a-Cable-Modem/m-p/951/highlight/true#M64

 

The only difference, is that you want to allow NATT inbounds and DHCP (if you are gettiun

 

This is what you should have:

 

ip access-list session WAN
any any svc-natt permit
any any any deny

exit
interface gigabitethernet 1/0
ip access-group WAN session

 

Any traffic will be allowed outbounds, but only nat-t or udp 4500 will be allowed inbounds for your RAPS.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

obi
Contributor II
Posts: 45
Registered: ‎08-28-2008

Re: Trouble with routing traffic trough controller straight to Internet

ip access-list session Internet
network xxx.xxx.xxx.xxx xxx.xxx.xxx.xxxany Aruba-MGMT permit
any any svc-natt permit
host xxx.xxx.xxx.xxx any svc-ssh permit
!

 

interface fastethernet 1/6
description "FE1/6"
trusted
trusted vlan 1-4094
ip access-group "Internet" session
switchport access vlan 1000
!

 

Now all bogus clients are gone but still no connectivity. From client I can ping controllers every interface but traffic is not going further. 

 

I enabled logging on remote firewall and ran some tests. If I ping that firewall, it sees traffic coming from Controllers WAN address, accepted and returned. So the problem is somewhere with returning traffic. 

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Trouble with routing traffic trough controller straight to Internet

Are you sure you have ip nat inside on the Guest Client's IP interface?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

obi
Contributor II
Posts: 45
Registered: ‎08-28-2008

Re: Trouble with routing traffic trough controller straight to Internet

interface vlan 80
ip address 172.17.0.1 255.255.255.0
no ip routing
ip nat inside
operstate up
!

 

 

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Trouble with routing traffic trough controller straight to Internet

Remove no ip routing from the interface.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: