Controllerless Networks

We trying to set an instant, VC based wireless network, but have some troubles. SSID's configured with the correct subnets and DHCP pool. (Local DHCP scopes with type local, I think we need for this, VC should be the DHCP server and the gateway too)
So we use NAT, and the situation is that, the internet and network access only works from the current Master IAP, and only from the master. I tried to set manually my ip address when I connected to another IAP, but I cannot ping my gateway.
If I connect to that IAP, who is the currently master, everything works perfect.

What could be the problem?

Solved: I thinked the DHCP requests gone toward VC through tunnel, but not, need to create the vlans between the IAPs.

If you create an SSID that has Client IP Assignment of "Network Assigned", the DHCP server MUST be external to the IAP network and that VLAN MUST be trunked to all of the IAPs.

If you create an SSID that has Client IP Assignment of "Virtual Controller Assigned", DHCP is done by the VC through an "internal" VLAN.   All of the user traffic for that SSID is tunneled to the VC and Natted from it.  DHCP MUST be provided by the VC in that situation, and the VLAN is NOT trunked to any IAPs.

We configured the second option, so the VC is the DHCP server for the internal (wifi) users. But until we didn't create the VLANs on the switch, thats assigned for the SSIDs (vlan 2 and 3), the connection didn't work, on the APs, only works from the current Master IAP.

We tried to set IP settings manually, but didn't work too, wasn't connection to the default gateway.

Now works, but need to be create the vlan 2 and 3 on the switch, and set tagged to the switchport where AP was connected (native vlan: 1, and the external DHCP is in vlan 1, who is set IP addresses to the APs after boot up)

Our config:

version 6.4.4.0-4.2.3
syslocation "xxxxxxxxxxxxxxxxxxxxxxxx"
virtual-controller-country HU
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name xxxxxx
virtual-controller-ip 172.16.0.100
terminal-access
rf-band all

allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx

arm
 wide-bands 5ghz
 80mhz-support
 min-tx-power 18
 max-tx-power 127
 band-steering-mode prefer-5ghz
 air-time-fairness-mode default-access
 client-aware
 scanning

ip dhcp pool
 lease-time 59

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

mgmt-user admin xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan access-rule AAAAA
 index 0
 rule 172.22.0.0 255.255.254.0 match any any any deny
 rule any any match any any any permit

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule BBBBB
 index 3
 rule 172.22.0.1 255.255.255.255 match tcp 4343 4343 deny
 rule 172.22.20.0 255.255.254.0 match any any any deny
 rule any any match any any any permit

wlan ssid-profile AAAAA
 enable
 index 0
 type employee
 essid AAAAA
 wpa-passphrase uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
 opmode wpa2-psk-aes
 max-authentication-failures 0
 vlan 2
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 deny-inter-user-bridging
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
 dot11r
 dot11k
 dot11v

wlan ssid-profile BBBBB
 enable
 index 1
 type employee
 essid BBBBB
 wpa-passphrase zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
 opmode wpa2-psk-aes
 max-authentication-failures 0
 vlan 3
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 deny-inter-user-bridging
 enforce-dhcp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
 dot11r
 dot11k
 dot11v

auth-survivability cache-time-out 24

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"
 auto-whitelist-disable
 https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
 wireless-containment none

ip dhcp bbbb_scope
 server-type Local
 server-vlan 3
 subnet 172.22.0.0
 subnet-mask 255.255.254.0
 lease-time 3540
 dns-server 8.8.8.8

ip dhcp aaaaa_scope
 server-type Local
 server-vlan 2
 subnet 172.22.20.0
 subnet-mask 255.255.254.0
 lease-time 3540
 dns-server 8.8.8.8

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x

enet0-port-profile default_wired_port_profile

uplink
 preemptionw
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180

airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint