Controllerless Networks

Is there a way to source nat the traffic on the Instant devices.

Use case -

I would like to hide the guest traffic behind the IAP address and force all traffic to a proxy server. The access rules allow you to dest nat the traffic however a wireshark trace of the traffic shows that the source address is from the client.

Any way to source all the traffic from a single address? I am using the latest firmware.

Matt

You'll need to make the vlan 'virtual controller assigned' and then it will be natted behind the IAP address.

This can only be done by making choosing the option to make the IP network assigned - would this mean running a dhcp server on the network for the guest clients?

'Virtual controller assigned' is what you need.  This will then use the internal dhcp on the virtual controller and then nat behind

Network assigned and default means the clients get an ip from the same subnet as the IAP.

Network assigned and static means the clients end up on that vlan and there needs to be a dhcp somewhere obviously.

Not used the dynamic before, so not exactly sure what that does.

Hope that helps.

:-)

This was the original configuration, however it was not working. Any ideas?

My colleague actually has seen this.

It seemed to happen if  the access rule contained the 'any any allow except to network' statement.  Seemingly broke the NATing.

Try to change the rule to be 'any internal_net deny' and then a 'any any permit' after.

But maybe that issue is fixed in later releases anyway.

As these will be deployed at various site with different internal network ranges, I would like to keep the configuration simple and just use the AP IP address as the source of the traffic. Is there a way of doing this?

Matt

The src-dst works until i add in the dst-nat at which point the src-nat stops working. Does anybody know of a workaround for this issue?

Interesting.  That sounds like a bug.  Make sure you raise it with TAC.

What version are you using?

We are using version "ArubaInstant_Orion_6.2.1.0-3.3.0.1_38408".

Here is the output from the config -

 rule any any match icmp any any permit
 rule any any match udp 53 53 permit
 rule any any match udp 67 68 permit
 rule any any match tcp 80 80 dst-nat ip 17.18.19.20

As soon as the last rule is introduced the source NAT stops being performed and the traffic appears on the wired side sourced from the Client IP address.

Aruba TAC have confirmed that this feature is not available and that a feature request should be raised.

Hi Matt,

Instead of DST-NAT to your proxy server it might be worth trying to set the default gateway on your instants to the IP address of your proxy server.

Obviously this would only work in certain network environments though.

Cheers

James

Thanks for that but I'm not sure this will work - we only want the guest traffic to go to the web proxy. I dont't think that sending the default traffic from the IAP would work.

Hi Matt,

Other clients associated to your instants will likely get their IP address details from your DHCP server therefore they'll have a different default gateway anyway.

I've used this setup at a school before and it does work but like I mentioned, it'll depend on your network.

Cheers

James

James,

    Yes I see things would be OK for corporate clients but how would management traffic be affected if the AP DG was the web proxy?

Matt

HI Matt,

That's why I added the caveat about it depending on your network design. 

Cheers

James