ExtremeWireless (WiNG)

Expand all | Collapse all

AP7522 /AP 6532 Wireless with NAT

  • 1.  AP7522 /AP 6532 Wireless with NAT

    Posted 07-05-2017 17:41

    I need to know how to configure the AP for use NAT in one wireless lan.


  • 2.  RE: AP7522 /AP 6532 Wireless with NAT

    Posted 07-05-2017 17:45
    Hello Rodrigo,

    Please provide firmware version. Are you using Swift UI or have you switched to Enterprise UI?

    Here's a link that might help: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Natting-on-a-WiNG-Express...



  • 3.  RE: AP7522 /AP 6532 Wireless with NAT

    Posted 07-05-2017 17:47
    Hello Chris...

    Is latest firmware in both 5.9 and have Enterprise UI.


  • 4.  RE: AP7522 /AP 6532 Wireless with NAT

    Posted 07-05-2017 17:53
    Here's a link to the how-to document for your perusal: http://documentation.extremenetworks.com/ExtremeWireless/NETWORK_ADDRESS_TRANSLATION_HTG_EN.pdf

    Please go over it and let us know if it helps.



  • 5.  RE: AP7522 /AP 6532 Wireless with NAT

    Posted 07-05-2017 18:13
    The PDF is a good in-depth explanation, but sometimes just seeing a working config helps...

    Here's a sample CLI config for a setup with 1 AP connected directly to a cable modem, with all the important bits...This may or may-not apply to your situation.

    • There are 2 ACLS, the first one to control what can access the AP remotely, the second one controls how NAT is applied; specifically the deny entry controls NO-NAT behaviour, while permit entry defines what is NATted.
    • A DHCP server policy to assign IP addresses to clients
    • The WLAN definition itself, note that clients are put on VLAN 2.
    • In the device config, vlan1 is considered to be the directly connected to the Internet on which the Internet_ACL is applied, and vlan2 which is local to the AP has the wireless clients on it.
    • Note the use of the ip nat commands, these control which interfaces are Inside and Outside, as well as how to apply the NAT.
    This config is derived from a SOHO configuration I use for teleworkers.

    ip access-list Internet_ACL
    permit udp any eq 68 any eq dhcps rule-precedence 40
    permit udp any eq 67 any eq dhcpc rule-precedence 50
    permit tcp remote_management_ip any eq https rule-precedence 60
    permit tcp remote_management_ip any eq ssh rule-precedence 65
    deny ip any any log rule-precedence 100 [/code]ip access-list NAT_inside
    deny ip rule-precedence 50
    permit ip any rule-precedence 100

    dhcp-server-policy default
    dhcp-pool Wireless
    address range
    domain-name example.com
    dns-server[/code]wlan wireless
    ssid wireless
    vlan 2
    bridging-mode local
    encryption ccmp
    authentication-type none
    wpa-wpa2 psk 0 passw0rd1

    ap6532 xx-xx-xx-xx-xx-xx[/code]interface radio1
    wlan wireless bss 1 primary

    interface radio2
    wlan wireless bss 1 primary

    interface vlan1
    description Internet
    ip address dhcp
    ip dhcp client request options all
    use ip-access-list in Internet_ACL
    ip nat outside[/code]interface vlan2
    description Clients
    ip address
    no ip dhcp client request options all
    ip nat inside

    use dhcp-server-policy default[/code]ip nat inside source list NAT_inside interface vlan1 overload

  • 6.  RE: AP7522 /AP 6532 Wireless with NAT

    Posted 07-05-2017 18:37
    Hi Andrew!

    The scenario is similar, but the AP is connected in the LAN.

    And have some question....

    For example if define vlan15 (inside) is neccesary define IP in the interface!? Can DHCP server work if not !? or IP is neccesary in all AP or only in the VAP!?

    Can define static nat using 1 IP for outside!? is neccesary create a VLAN with outside for this!?


    pd: the idea is define a wireless without easy access to lan but with controlled access to wan using external firewall like fortigate, firewall is not in the side where is AP.

  • 7.  RE: AP7522 /AP 6532 Wireless with NAT

    Posted 07-05-2017 19:01
    No matter what, at some point you have to define an IP address inside because a) the clients need to send their traffic to that IP as their default gateway, and b) the NAT mechanism needs this to operate.

    You could do that on the controller, for example tunnel the wireless client vlan back to the controller and only assign an IP on the controller.

    Or if using a controller-less environment, you need to select one or two APs to be master and backup virtual controllers. These 2 APs need fixed IPs, and their DHCP server needs to be controlled to only run if it is the current active domain manger (dhcp-server activation-criteria rf-domain-manager). There were some bugs around this in earlier wing versions, so make sure you use the latest.