Controllerless Networks

Hi,

I have an AP in RAP (Split-tunnel mode) and i have a Wlan Guest with a captive portal local to the controller.
The controller makes dhcp server.

Non-corporate customer traffic is sourced locally with the Default Guest Role after Authenticated on the Captive Portal:

Policy after authenticated:

Policy: any any dhcp permit

Policy: user dc dns permit

Policy: user controller http dst-nat 8080

Policy: user circusnetwork any deny

Policy: user any any route src-nat

My problem:
The User traffic goes through the vlan "management (500)" of the AP and not in the vlan "Guest (2000)"

My question:
Can this be changed ?

Thank you in advance

the last acl should be "any any any permit"  The traffic that is routed and source natted goes AP VLAN, which is what the last ACL does.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 14, 2022 06:01 AM
From: Jérémy Spote
Subject: RAP Split-tunnel - Vlan User traffic

Hi,

I have an AP in RAP (Split-tunnel mode) and i have a Wlan Guest with a captive portal local to the controller.
The controller makes dhcp server.

Non-corporate customer traffic is sourced locally with the Default Guest Role after Authenticated on the Captive Portal:

Policy after authenticated:

Policy: any any dhcp permit

Policy: user dc dns permit

Policy: user controller http dst-nat 8080

Policy: user circusnetwork any deny

Policy: user any any route src-nat

My problem:
The User traffic goes through the vlan "management (500)" of the AP and not in the vlan "Guest (2000)"

My question:
Can this be changed ?

Thank you in advance

Hi,

Thanks for your response,

If I remove the "src-nat route", the traffic will not be routed locally  and will go to the controller ?

Thanks
Original Message:
Sent: Jun 14, 2022 06:36 AM
From: Colin Joseph
Subject: RAP Split-tunnel - Vlan User traffic

the last acl should be "any any any permit"  The traffic that is routed and source natted goes AP VLAN, which is what the last ACL does.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 14, 2022 06:01 AM
From: Jérémy Spote
Subject: RAP Split-tunnel - Vlan User traffic

Hi,

I have an AP in RAP (Split-tunnel mode) and i have a Wlan Guest with a captive portal local to the controller.
The controller makes dhcp server.

Non-corporate customer traffic is sourced locally with the Default Guest Role after Authenticated on the Captive Portal:

Policy after authenticated:

Policy: any any dhcp permit

Policy: user dc dns permit

Policy: user controller http dst-nat 8080

Policy: user circusnetwork any deny

Policy: user any any route src-nat

My problem:
The User traffic goes through the vlan "management (500)" of the AP and not in the vlan "Guest (2000)"

My question:
Can this be changed ?

Thank you in advance

If you remove the last rule, the traffic will be blocked.
If you do an allow all as the last rule, the traffic will be tunneled back to the controller.
A rule with "route src-nat" will be source natted out of the ip address of the AP.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 14, 2022 08:20 AM
From: Jérémy Spote
Subject: RAP Split-tunnel - Vlan User traffic

Hi,

Thanks for your response,

If I remove the "src-nat route", the traffic will not be routed locally  and will go to the controller ?

Thanks
Original Message:
Sent: Jun 14, 2022 06:36 AM
From: Colin Joseph
Subject: RAP Split-tunnel - Vlan User traffic

the last acl should be "any any any permit"  The traffic that is routed and source natted goes AP VLAN, which is what the last ACL does.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 14, 2022 06:01 AM
From: Jérémy Spote
Subject: RAP Split-tunnel - Vlan User traffic

Hi,

I have an AP in RAP (Split-tunnel mode) and i have a Wlan Guest with a captive portal local to the controller.
The controller makes dhcp server.

Non-corporate customer traffic is sourced locally with the Default Guest Role after Authenticated on the Captive Portal:

Policy after authenticated:

Policy: any any dhcp permit

Policy: user dc dns permit

Policy: user controller http dst-nat 8080

Policy: user circusnetwork any deny

Policy: user any any route src-nat

My problem:
The User traffic goes through the vlan "management (500)" of the AP and not in the vlan "Guest (2000)"

My question:
Can this be changed ?

Thank you in advance