Wireless Access

Reply
Highlighted
Occasional Contributor I

Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

Hi 

 

I really need a help as all my guest and employee wifi client ip had turn out become AP IP while it hit the Firewall. I have few ACL and firewall rules policies get bypass as everyone from WIFI route in by AP are all AP IP.

 

Below is my network setup:

Aruba AP303 - have 2 VLAN. VLAN 77 (tagged port 8) is for guest wifi users. VLAN 188 (untagged port 8). VLAN 188 is a primary VLAN, and IP of AP is 192.168.188.251

 

Aruba 2930f switch is sit in between of AP and Firewall, I have set the port 8 to allow both VLAN accessing the same port, i have assigned ip 192.168.188.254 and 192.168.77.254 as their port IP in VLAN.

 

Firewall have set a monitor and block ip 199.199.199.199 (example), when client access the 199.199.199.199 via the either guest or employee wifi, my firewall show the source ip is from 192.168.188.251 no matter the wifi getting a ip from vlan 77 or 188. if i connect with LAN cable with gateway set as firewall ip, i got the actual source ip recorded, but i i change the NIC gateway to Aruba switch ip (either vlan 77 or 188 ended with 254), i will again get my ip recorded in firewall with my AP IP.

 

Do you have any clue?

 

MVP Guru

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

Is the User Role assigned to the Guest users configured to src-nat all traffic behind the IAP?


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
New Contributor

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

ss

Occasional Contributor I

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

Hi Craig,

 

thanks for sharing hands here, may i know what command i should type to only make guest user without nat?

 

I just done further test and it seem only Guest wifi with vlan 77 is recording the IAP ip in the firewall, the one using primary vlan 188 look good.

 

I have tried to set a static route wih vlan 77 subnet into 192.168.77.254 (switch vlan ip), but nothing can be improve..:(

MVP Guru

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

If you edit the SSID, you will need to check two places.

 

- Check if under Client IP Assignment, it is set to Virtual Controller
managed. If Virtual Controller assigned is selected for client IP assignment, the virtual controller creates a private subnet and VLAN on the Instant AP for the wireless clients. The NAT for all client traffic that goes out of this interface is carried out at the source. If set to Network assigned, then the traffic will not be NAT.

 

- Check Access Rules section of the SSID and confirm if any ACLs are set to src-nat behind AP address. If so, edit and remove the src-nat.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor I

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

Hi Craig

 

You got the right spot, but i might seem need to remove the local dhcp in the AP as well else i can't change into "network manage".

 

I tried remove the dhcp from the setting then i can change my connection to "network managed", but I seem need to set the dhcp in the AP level or else user won't get the dynamic ip from my firewall which is 2 layer back from AP (AP==>Aruba 2930f ==> firewall)

MVP Guru

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

To make life easier/simple, why don't you move the DHCP service to either the 2930F or the firewall and just have the IAP acting as a L2 device and tagging the Guest VLAN?


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor I

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

I did move the dhcp server into firewall now, but the IAP could not get any IP from firewall end.

 

Anything i need to configure?

MVP Guru

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

The firewall will need to see the DHCP Discover from the Client, so either the firewall needs an L3 interface in the Guest VLAN or the 2930F needs an interface in the Guest VLAN with an ip-helper to send it to the firewall.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor I

Re: Aruba AP-303 - wifi user ip recorded in firewall turn out all source ip = aruba AP IP

i tried hard again to set the ip helper and/or ip boot-gateway into my firewall ip that having dhcp, but i still could not get ip...

 

is there any setting i need to put in the IAP to make it aware the dhcp ?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: