Controllerless Networks

 View Only
last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

WiFi to Ethernet bridge with IAP315

This thread has been viewed 76 times

  • 1.  WiFi to Ethernet bridge with IAP315

    Posted Oct 14, 2021 03:55 PM
    Hi,

    I am setting up IAP-315 as a Wi-Fi to Ethernet Bridge. I have a part of this working but can't get everything to work. I've searched around but can't find the key to solve the last steps for the setup so I am looking for assistance.

    My network:
    Server with DHCP server <-> Wi-Fi AP in bridge mode (third party, already setup and working) <-> Wireless clients
    No VLAN tagging

    I would like to have the following:
    Server with DHCP server <-> Wi-Fi AP in Ethernet to WiFi bridge mode <-> IAP-315 in bridge mode <-> Ethernet switch <-> Wired clients

    I don't want either AP to be assigning any IPs. All IP assignment should be done by the server with DHCP server.

    IAP-315 is using 'ArubaOS (MODEL: 315), Version 8.9.0.0' firmware.

    I initially configured a wireless network on 5GHz band with network assigned IP and static VLAN 1 so SetMeUp would be removed. The 802.11 band was set to All and Allowed 5GHz radio set to All. At that time eth port was the uplink connecting the the DHCP server via Ethernet and clients could connect to the Aruba wireless SSID and join the main network.
    I then turned off extended SSID, set enforce uplink WiFi, put WiFi-sta at the top of the uplink priority, entered the other AP's SSID in WiFi uplink, chose 5GHz band (other AP has SSIDs on both 2.4GHz and 5GHz), and set up the WiFi uplink security. I rebooted the IAP, unplugged Ethernet cable from IAP, and watched console output. WiFi uplink came up.

    output of show wifi-uplink status

    Configured :YES
    Enabled :YES
    State :UP
    Interfaces :aruba001
    ...

    IAP did obtain an IP from the DHCP server via the WiFi uplink. I could login into the IAP's VC portal from the main wireless network. I could no longer connect clients to IAP's SSID. Is that because I can't use 5GHz as a backhaul/uplink and AP at the same time?

    I tried connecting a device to IAP's eth port but the client could not obtain an IP. I decided to set 'enet1-mode downlink' and 'enet0-bridging' (I don't think enet0-bridging is necessary but I didn't think it would hurt). I also setup a wired Ethernet network in access mode with network assigned IP, native VLAN 1, set the port to be trusted, chose default_wired_port_profile as 0/0 and my new eth profile as 0/1.
    I also made sure that IAP's access point uplink management network was VLAN 0, Eth0 and Eth1 were set to downlink, IAP was set as preferred conductor and IP address for IAP was set to get IP from DHCP server. I rebooted the IAP.

    For some reason I no longer see console output but I don't know why. How do I get console access back?
    IAP WiFi uplink came up again and is working.
    I can access IAP VC portal via the main network.
    Clients can join the IAP's SSID but can not obtain an IP address.
    Connecting clients to IAP's eth port results in those clients not being assigned an IP address. This is where I am stuck.

    In summary:
    WiFi uplink portion of IAP's configuration is working.
    IAP's AP SSID connections are not assigning IP address. I don't mind, in fact I probably would rather not even have IAP create another wireless network to reduce congestion. Can I delete this wireless network and not have extended SSID turn itself back on (as I understand extended SSID interferes with WiFi uplink) or SetMeUp return?
    Ethernet downlink is not working. This is what I need most help with.

    What do I still need to configure so I can connect IAP's Ethernet port to my Ethernet switch's uplink and allow all the wired clients connected to the switch join the rest of the network with IAP as their bridge?

    Thanks for the help.

    ------------------------------
    Kosta Kh
    ------------------------------


  • 2.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 17, 2021 01:34 AM
    To add a little to above. I have seen https://blog.theitrebel.com/2020/05/05/aruba-iap-workgroup-bridge/ that talks about having to enable DHCP server on IAP but I want to avoid having 2 DHCP servers on my network (main DHCP server and IAP), and I want to avoid setting up routing. If I need to run something DHCP based on the IAP I would prefer for it to be a relay agent on eth downlink and client on Wifi uplink but I don't know how to set that up on this IAP.

    Maybe I first should have asked if its possible to have IAP act as a L2 bridge without VLAN tagging.

    Thanks
    Original Message


  • 3.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 17, 2021 03:25 PM
    might be easier to replace your third party device with IAP and just do normal mesh. 

    i'm not sure you can bridge to an uplink like that.


  • 4.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 18, 2021 12:33 AM
    Then to clarify. Its possible to do WiFi downlink/access point with eth uplink but not the other way around? It just seems odd that it can't be configured in reverse.

    For mesh, if the first IAP is a VC and has eth uplink and acts as WiFi access point then will the second IAP have its eth as a downlink or bridge?
    Original Message


  • 5.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 18, 2021 02:59 PM
    i may be wrong. i think looking at some reference material it should be possible but never tried it. looks like you've taken all the right steps. is it possible that the uplink AP is enforcing some kind of IP address limit per associated client?

    can you see any DHCP requests on the wired network from clients connecting to IAP?

    ------------------------------
    Scott Doorey
    ------------------------------

    Original Message


  • 6.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 19, 2021 12:55 PM
      |   view attached
    I ran packet capture at three points. At the DHCP server, at the IAP and at the Windows client. I had a Windows client connect to the IAP's eth downlink port and I ran ipconfig /renew to force some DHCP activity. On the DHCP server I used that system's packet monitoring tools, for IAP I used pcap and wireshark:5555 (on remote machine) as per one of the forum posts and for Windows client I used wireshark on its local interfaces. I saw the following:
    1. DHCP server sees DHCP traffic and it looks like it replies.
    2. IAP sees DHCP traffic from the Windows client but does not see a response from the DHCP server.
    3. Windows client sends out DHCP Discover requests via IAP but does not receive a DHCP Offer. When the Windows client is connected to the network via a different link I can see DHCP Discover and DHCP Offer packets. So DHCP is working ok but not via IAP.
    4. Windows client can see a lot of network traffic beyond IAP, on the wifi uplink network. So it is strange that DHCP Offer is not being received by the Windows client via that uplink.

    I tried assigning a static IP to the Windows client's eth port connected to IAP's eth downlink with the gateway being the router (not IAP) and I have network connectivity.

    I have looked through Aruba Instant 8.x CLI Guide and through ArubaOS 8.9 User Guide. I can't see examples on how to set up ethernet downlink in a point to point wireless uplink. There are examples of how to setup ethernet downlink in IAP mesh configuration.

    I don't know why DHCP is not coming back via IAP WiFi uplink to the IAP's eth downlink. I'll do some digging on my server but I can't rule out that IAP configuration is not the problem. I don't want to stay in a situation where every device at the IAP's eth downlink switch needs a manual static IP (a Windows client is being as a testbed).

    I am not optimistic that my desired setup with point to point wifi uplink will work with DHCP. I am attaching my really simple configuration file.

    I'd love some clues as to what I may be missing in IAP's configuration, and hopefully get my setup working!

    Attachment(s)

    txt
    backup-3.txt   3 KB 1 version
    Original Message


  • 7.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 20, 2021 09:03 AM
    I have been trying to setup the DHCP on IAP as this may be the missing piece.
    I changed the WiFi uplink to be static assigned VLAN 2 and eth profile VLAN client management to be network assigned VLAN 2. The wired client could not get an IP address from DHCP server.
    I tried setting the eth downlink client IP assignment to be VC managed. Doing this gives me a 172.31.x.x address. That's no help. When I setup the DHCP server on IAP with network portion that does not overlap the main network (class C being split into 2 with /25 on main DHCP server and VC IAP) but helper address being the router the client gets an IP but the default gateway is not the router: thats of no use to me.
    I tried setting up centralized DHCP scope using https://community.arubanetworks.com/blogs/anandkumar-sukumar1/2020/10/20/how-does-centralized-l3-dhcp-relay-agent-functionality-works-on-iap-40 with VLAN 2 but it does not work.

    Looking at Aruba Instant 8.x CLI Guide I think I need to look at either: distributed L2 or local L2 or local L3 or centralized L3. I can't get any of those to work.

    Is there a guide on how to setup the VC DHCP server on IAP to advertise a default route that is not itself but the main router?
    Or is there a good guide on how to set IAP to be a DHCP relay?
    Original Message


  • 8.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 21, 2021 03:49 AM

    I think you need to look at the "local" modes when it comes to setting up your own dhcp-server on the IAP.

    https://www.arubanetworks.com/techdocs/Instant_86_WebHelp/Content/instant-ug/dhcp-conf/local-dhcp-sco.htm?Highlight=dhcp%20server
    using "Local" - the clients connected to that subnet will be (source)natted to the IAP-IPaddress, the AP will get when getting connected via the wifi-uplink.(-> NAT forwarding mode). 

    using "local,L2" is dependend on the functionaly/limitations of the network you want to connect to - will it allow multiple MAC@ from a single connected client (as your IAP is a client in your setup). If multiple MAC@ do work, you do need to know the def-gw address (can be seen on the IAP when it is connected) and avoid "duplicate IP addresses". This is the setup where the default-gw is not the IAP itself.

    using "local,L3" might be also an option, if you do make sure the IAP will always get the same Address when connecting to the WIFI-uplink, as you need to add a static route to that IP-address for this separate subnet used for clients connecting to the IAP.

    hope this helps

    Groetjes

    Jochem



    ------------------------------
    Jochem Knoben
    ------------------------------

    Original Message


  • 9.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 21, 2021 03:55 AM
    Is your uplink wifi access point filtering broadcast traffic?

    ------------------------------
    Scott Doorey
    ------------------------------

    Original Message


  • 10.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 22, 2021 02:55 PM
    All filtering is turned off.

    So far I have:
    *Set the eth client ip assignment to be network assigned and VLAN 1 then I can set a static IP on the Windows client and have full network and internet connectivity. In this situation I can not have IAP local DHCP scope on VLAN 1 as its also the mgmt network.
    *Set the IAP local DHCP scope local L2 to VLAN 2. Local scope has the full subnet of the network, network default gateway and DNS server. Set eth client ip assignment to be VC managed with client VLAN assignment being custom to the IAP local DHCP scope. Windows client obtains IP from IAP, the IP is not seen on DHCP server. Windows client does not have connectivity. Change Windows client ip assignment to be network managed VLAN 1 and Windows client has connectivity. Clients on the main AP can not reach the Windows client behind IAP. I think the problem is that Windows client does not receive an ARP response when client vlan assignment is custom to VLAN 2.

    So I can get something that assigns IP addresses but gives no network connectivity OR network connectivity via mgmt VLAN with no IP address assignment. In both situations devices behind IAP can not be seen by the rest of the network. I don't have any VLAN configuration setup on the rest of the network. Am I doing something wrong with the configuration on IAP? Do I need to setup VLANs on the rest of the network?
    Original Message


  • 11.  RE: WiFi to Ethernet bridge with IAP315

    EMPLOYEE
    Posted Oct 22, 2021 07:02 PM
    I have a setup where my AP-303H (Instant 8.8.0.2) that uses WiFi uplink to an existing AP-505H and then this AP-505H on its wired side connects to the Internet router.  The Internet router is providing the DHCP service.

    The wired and wireless clients that connect to the AP-303H are using "virtual controller managed" IP addresses for their respective wired and wireless network. This means that AP-303H is using its magic VLAN and assigning the clients IP address and then source NATs it with its own uplink IP address.

    This works fine for me.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 12.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 22, 2021 08:45 PM
    Ariya, are they in a mesh or uplink configuration? Are clients that connect to AP-505H able to connect to wired clients connected to AP-303H? Would you mind sharing your config (omitting sensitive parts)?
    Original Message


  • 13.  RE: WiFi to Ethernet bridge with IAP315

    EMPLOYEE
    Posted Oct 22, 2021 09:17 PM
    the AP303H is using Wifi uplink not mesh

    Wifi client ~~~Test SSID~~~AP-303H ~~~~WiFi uplink~~~~AP-505H------wired------Internet router with DHCP-----Internet





    with this config on the AP-303H the client gets an IP address from AP-303H (172.31.x.x) and has full internet connectivity


    hope this helps.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 14.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 23, 2021 03:38 AM
    Thanks.

    My router IP is 192.168.1.1
    DNS server IP is 192.168.1.3
    IAP uplink is being assigned 192.168.1.4 by DHCP server.

    Using your network VLAN settings and the following in IAP's DHCP server
    DHCP server settings
    it takes a while but eventually the clients are able to get connectivity to the router, DNS server and websites. At times connectivity does drop out. It seems that connectivity to the 192.168.1.0/25 network has issues and thus connectivity to DNS server disappears at times. I also can't access a number of other devices on the 192.168.1.0/25 . I added 192.168.1.128/25 static via 192.168.1.4 on my router.

    I tried changing DHCP settings to 192.168.2.0/25 with DNS being 192.168.1.3 . Changed the static route in my router to be 192.168.2.0/25 via 192.168.1.4 . Overall this seems to be a little better but I am struggling to get connectivity between devices connected to the main AP and devices connected to IAP. From IAP connected device I can access some devices on main AP but not all. Any way to fix that? Or is this my router issue?

    Original Message


  • 15.  RE: WiFi to Ethernet bridge with IAP315

    EMPLOYEE
    Posted Oct 23, 2021 06:35 AM
    I have changed setup to use Internet router's (IR) DHCP service (10.10.10.0/24)
    so in this case, the AP303H which is using Wifi-sta will get IP address from IR
    and the wired/wireless clients that connect to AP303H will also get IP address form IR and everything works fine.
    the VLAN section should be set to "Network Assigned" instead of previously "Virtual controller managed"



    this should be the simplest way.
    when i get some time I'll test the Local dhcp option as well.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 16.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 23, 2021 09:06 AM
    My DHCP server is on the router. There is only 1 router in the network and its between the firewall and the main AP, which is in bridge mode and serving wireless clients at the moment. That main AP does not have WiFi to Eth bridge capability. There is another travel AP that I am using as a comparison, and that works fine as a client to bridge wired devices onto the main AP's WiFi. So, I am thinking the issue is with the Aruba IAP config.

    Aruba IAP uplink is up and has an IP address. IAP configuration for the uplink:
    IAP config
    IAP config 2
    System WiFi config
    plus the WiFi section is filled in and set for 5GHz.

    I setup the IAP's WiFi network as you have in your screenshot, but the wired network profile has different options so I am not sure what to do with it (no default when 'Network assigned' is chosen):
    Eth VLAN config


    For IAP's WiFi network when I connect a client I do not get an IP address from my main DHCP server. I get 169 address. When that happens I can use wireshark to monitor some traffic on the network. When I set a static IP on the client that got 169 address I get network and internet connectivity. So the link is up but DHCP is not working.

    I am testing all of this within 2m of the main AP and clear sight so there should be no issue with the range. I checked and there is no channel interference. This is a L2 or L3 issue.

    It's interesting that the setup shown in your screenshot works there but not here. I wonder what's different.
    Original Message


  • 17.  RE: WiFi to Ethernet bridge with IAP315
    Best Answer

    EMPLOYEE
    Posted Oct 23, 2021 07:17 PM
    I don't think this has anything to do with channel interference.
    When you configure IAP with WiFi-sta, (using WiFi uplink) you have 2x main options for wired/wireless networks.
    - external dhcp server to provide dhcp service - "Network Assigned", Client traffic will not be NATed
    - IAP to provide dhcp service using its magic VLAN (by default 172.31.98.x./23) - "virtual controller managed", Client traffic will be NATed

    Now to configure wired network on IAPs, "configuration->Network->+



    Then in security tab, choose port type = "untrusted" and  in access tab, choose access rule = "unrestricted" (for time being)
    finally assign it to 0/0 for your IAP-315


    once you save it then you are ready to go.
    So in my lab i have configured my wired and WLAN network for "network assigned".
    both my wired and wireless clients get their IP addresses from the Internet Router with full connectivity between them




    if these two methods don't work for you, most probably your IR not responding to DHCP request form the clients that are coming from IAP.
    in that case you need to do a packet cap for DHCP

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 18.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 24, 2021 02:07 AM
    Thank you.

    I'll look at my DHCP server again, and do some packet capture. I am wondering if there is an issue with new DHCP discover packets being ignored by the DHCP server as they are coming from the IAP (for the clients) when the DHCP server considers that there is already an assigned address for the IAP.
    Original Message


  • 19.  RE: WiFi to Ethernet bridge with IAP315

    Posted Oct 24, 2021 06:54 PM
    Thank you Ariya, Scott, and Jochem for your help.

    I changed my DHCP server and everything works. The DHCP server I was using was router's built in server. It is fairly limited in configuration. I turned off the router's built in DHCP server and setup ISC DHCP.

    I appreciate the assistance, making sure that my IAP configuration was correct.

    The quick summary of the configuration process I had followed to get to a working IAP configuration in the end (from factory reset):
    1. Convert the IAP to single AP but I am not sure if this is necessary or if default VC mode is sufficient
    2. Networks -> Create wireless network with Network assigned client IP and default VLAN assignment (other options as required)
    3. Networks -> Create wired network with Admin status Up, Access mode, Untrusted mode, Network assigned client IP, Native VLAN 1, assign network profile to 0/0 (other options as required)
    4. System -> Show advanced -> General: Extended SSID off . Uplink: enforce WiFi uplink, pre-emption off, WiFi-sta top priority in the list, WiFi SSID and other details of the network that will be the connecting to for the uplink (other options as required)
    5. Access points -> Edit access point -> General: Preferred conductor, get IP from DHCP server . Uplink: management VLAN 1, Eth0 and Eth1 downlink (other options as required)

    Above is simple and works to establish connectivity. All other configuration including NTP server, inbound firewall, IDS, port security, RF, etc is as required in addition to above.
    Original Message