Wireless Access

Occasional Contributor II

Is it possible to apply firewall rules in AP bridge mode



I have a simple question. If I would like to use my APs in bridge mode, is it possible to apply firewall, application a webcc rules for the user traffic?


The reason why I would like to use bridge mode is I have many sites with 1 AP each on them, and would like to sent the traffic directly out to the internet, not through the controller.



MVP Guru

Re: Is it possible to apply firewall rules in AP bridge mode

Webcc is not supported in bridge forwarding mode

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI

Re: Is it possible to apply firewall rules in AP bridge mode

despite the fact that advanced datapath/inspection based features are not available (e.g. webcc, airgroup etc., see "Behavior and Defaults" in the ArubaOS User Guide), you can still use firewall roles and things like src-nat.


a typical location may look like


   [ internet ] --- +[ RG ] ---- [ local lan ] ---- [ AP ]


where RG is some sort of residential gateway, cable modem or dsl modem etc, which provides src-nat functionality to the internet (denoted by +) and DHCP to the local lan.


In this model, the AP will get an IP from the RG and in bridge mode the clients will also get their IP from the RG and be subject to a role and its firewall rules.


If you want to allow local-lan based services to be able to initiate connectivity back into clients on the AP, you need to open up the ACL known as "ap-uplink-acl" which you can see applied on the AP system profile (of the ap-group)


You have the option to also src-nat at the AP interface to the local-lan, likely however in the case of a single AP per site that is not needed.




Search Airheads
Showing results for 
Search instead for 
Did you mean: