@bg wrote:
Hi cjoseph,
as always - thanks for you godspeed replies ;-) , im still confused how the DHCP stuff is done :
on the Branch the DSL router does DHCP and is used as DNS-forwarder, or local clients using external DNS - nevermind.
The RAP2 getting one DHCP adress, connecting to HQ_controller , receives VirtualIP from the RAP Range and enables the Wifi.
I have in mind that 2 SSID's (one with tunnel, one with split-tunnel) isnt working. is this correct? E.g. if you want to use the other SSID to control the voucher accounts , otherwise customer should use Wired-Access to have controller accessed via some separate corporate VLAN.
Regardless of 2 SSIDs for the moment i would like to solve it with one VAP in split-tunnel mode. Regarding DHCP my wifi clients need DHCP adress too, and if they want to access internet resources via the local router then those clients need adresses of the same local subnet of the router. I dont think it's possible to use only the local router's DHCP for the wifi clients itself.
the VBN guest network has to be identified on the controller too, e.g. some separate VLAN as mentioned in the KB article mentioned few postings before.
Am i right ? sorry, im just asking confusing questions ;-)
regards
Each VAP is individual. Let's talk about split-tunnel captive portal in specific:
- Your VAP needs to be set to split-tunnel
- Your VAP needs to be set to a VLAN that is at corporate so that your guest clients can get ip addresses. The corporate DHCP server will give out the ip address, subnet mask, default gateway, dns ip.
- That VLAN, at corporate, will give an ip address to your guests
- The initial role of that AAA profile attached to that VAP has the "Captive Portal" ACL so that clients can be initially redirected to the Captive Portal on the controller for authentication, or whatever
- in the Captive Portal Authentication profile for this WLAN, the default guest role will have something like this:
any any dhcp permit
any any any route src-nat
That means, once the guest authenticates, all of his traffic will be source-natted out of the ip address of the AP that the guest is on. DNS, http, https, etc all will be source-natted out of that AP.
What I just described is independent of the other VAPs on that AP. You could have a fully tunneled VAP on the same AP.