10-16-2017 11:29 AM - edited 10-16-2017 11:30 AM
I have a simple question. If I would like to use my APs in bridge mode, is it possible to apply firewall, application a webcc rules for the user traffic?
The reason why I would like to use bridge mode is I have many sites with 1 AP each on them, and would like to sent the traffic directly out to the internet, not through the controller.
Solved! Go to Solution.
Re: Is it possible to apply firewall rules in AP bridge mode
10-16-2017 06:17 PM
Get Outlook for iOS
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
10-17-2017 01:15 AM
despite the fact that advanced datapath/inspection based features are not available (e.g. webcc, airgroup etc., see "Behavior and Defaults" in the ArubaOS User Guide), you can still use firewall roles and things like src-nat.
a typical location may look like
[ internet ] --- +[ RG ] ---- [ local lan ] ---- [ AP ]
where RG is some sort of residential gateway, cable modem or dsl modem etc, which provides src-nat functionality to the internet (denoted by +) and DHCP to the local lan.
In this model, the AP will get an IP from the RG and in bridge mode the clients will also get their IP from the RG and be subject to a role and its firewall rules.
If you want to allow local-lan based services to be able to initiate connectivity back into clients on the AP, you need to open up the ACL known as "ap-uplink-acl" which you can see applied on the AP system profile (of the ap-group)
You have the option to also src-nat at the AP interface to the local-lan, likely however in the case of a single AP per site that is not needed.