We have a customer running 8.3.0.3 IAPs managed by Aruba Central. After the customer redesigned his central firewall rules (Sophos gear) we had issues with guests reaching DNS server and access the external captive-portal. It turned out, that the traffic for the guest SSID doesn't get natted as configured.
For the guest SSID i configured 'Virtual Controller assgined' and 'Default' in the 'VLAN' settings of the SSID.
As far as i know, this is is required for natting the guest traffic and using the virtual controller IP as source IP address. But other than expected, we noticed DNS,HTTP, HTTPS traffic from the IAPs IPs them self (Source IP = IAP IP), where guest clients were connected to those IAPs.
If we configure the Sophos firewall with a rule, allowing all IAPs DNS and HTTP, HTTPS to external everything works correctly. If we are limiting it to the Virtual Controller IP only (as i would expect how it should work), guest clients stop getting answers for the requests, since the natted requests (source IP = IAP IP address) are not allowed.
So what the heck went wrong here?