Wireless Access

Hi 

I really need a help as all my guest and employee wifi client ip had turn out become AP IP while it hit the Firewall. I have few ACL and firewall rules policies get bypass as everyone from WIFI route in by AP are all AP IP.

Below is my network setup:

Aruba AP303 - have 2 VLAN. VLAN 77 (tagged port 8) is for guest wifi users. VLAN 188 (untagged port 8). VLAN 188 is a primary VLAN, and IP of AP is 192.168.188.251

Aruba 2930f switch is sit in between of AP and Firewall, I have set the port 8 to allow both VLAN accessing the same port, i have assigned ip 192.168.188.254 and 192.168.77.254 as their port IP in VLAN.

Firewall have set a monitor and block ip 199.199.199.199 (example), when client access the 199.199.199.199 via the either guest or employee wifi, my firewall show the source ip is from 192.168.188.251 no matter the wifi getting a ip from vlan 77 or 188. if i connect with LAN cable with gateway set as firewall ip, i got the actual source ip recorded, but i i change the NIC gateway to Aruba switch ip (either vlan 77 or 188 ended with 254), i will again get my ip recorded in firewall with my AP IP.

Do you have any clue?

Is the User Role assigned to the Guest users configured to src-nat all traffic behind the IAP?

Hi Craig,

thanks for sharing hands here, may i know what command i should type to only make guest user without nat?

I just done further test and it seem only Guest wifi with vlan 77 is recording the IAP ip in the firewall, the one using primary vlan 188 look good.

I have tried to set a static route wih vlan 77 subnet into 192.168.77.254 (switch vlan ip), but nothing can be improve..:(

If you edit the SSID, you will need to check two places.

- Check if under Client IP Assignment, it is set to Virtual Controller
managed. If Virtual Controller assigned is selected for client IP assignment, the virtual controller creates a private subnet and VLAN on the Instant AP for the wireless clients. The NAT for all client traffic that goes out of this interface is carried out at the source. If set to Network assigned, then the traffic will not be NAT.

- Check Access Rules section of the SSID and confirm if any ACLs are set to src-nat behind AP address. If so, edit and remove the src-nat.

Hi Craig

You got the right spot, but i might seem need to remove the local dhcp in the AP as well else i can't change into "network manage".

I tried remove the dhcp from the setting then i can change my connection to "network managed", but I seem need to set the dhcp in the AP level or else user won't get the dynamic ip from my firewall which is 2 layer back from AP (AP==>Aruba 2930f ==> firewall)

To make life easier/simple, why don't you move the DHCP service to either the 2930F or the firewall and just have the IAP acting as a L2 device and tagging the Guest VLAN?

I did move the dhcp server into firewall now, but the IAP could not get any IP from firewall end.

Anything i need to configure?

The firewall will need to see the DHCP Discover from the Client, so either the firewall needs an L3 interface in the Guest VLAN or the 2930F needs an interface in the Guest VLAN with an ip-helper to send it to the firewall.

i tried hard again to set the ip helper and/or ip boot-gateway into my firewall ip that having dhcp, but i still could not get ip...

is there any setting i need to put in the IAP to make it aware the dhcp ?

In most cases no, the IAP is tagging the client VLAN. Along as the devices can honor the tag and there is a services offer DHCP in the VLAN then you are all set. As a test can you create the DHCP on the 2390F?

i can't do much in 2930f for some reason, but i have set the dhcp in firewall with a new interface, i plug my laptop in to the firewall interface and i can get a new ip, but if i plug in the port in the 2930f, i don't get any ip. i have try set the ip helper-address, but not help.

it seem the issue is the 2930f not helping the fw to broadcast the dhcp service.... the primary vlan 188 is having the ip from the fw too, just vlan 77 have tagged compare with vlan188, could it be a culprit?

VLAN77 needs to be tagged on the 2930F.

finally fix all i need, the last culprit is the fw interface is not tagged, so i tagged on it and now i could get the dhcp broadcasted in vlan 77 now.

thanks Craig!!!

You're welcome :)

ss