I need to know how to configure the AP for use NAT in one wireless lan.
Please provide firmware version. Are you using Swift UI or have you switched to Enterprise UI?
Here's a link that might help: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Natting-on-a-WiNG-Express...
Please go over it and let us know if it helps.
The PDF is a good in-depth explanation, but sometimes just seeing a working config helps...
Here's a sample CLI config for a setup with 1 AP connected directly to a cable modem, with all the important bits...This may or may-not apply to your situation.
- There are 2 ACLS, the first one to control what can access the AP remotely, the second one controls how NAT is applied; specifically the deny entry controls NO-NAT behaviour, while permit entry defines what is NATted.
- A DHCP server policy to assign IP addresses to clients
- The WLAN definition itself, note that clients are put on VLAN 2.
- In the device config, vlan1 is considered to be the directly connected to the Internet on which the Internet_ACL is applied, and vlan2 which is local to the AP has the wireless clients on it.
- Note the use of the ip nat commands, these control which interfaces are Inside and Outside, as well as how to apply the NAT.
ip access-list Internet_ACL
permit udp any eq 68 any eq dhcps rule-precedence 40
permit udp any eq 67 any eq dhcpc rule-precedence 50
permit tcp remote_management_ip any eq https rule-precedence 60
permit tcp remote_management_ip any eq ssh rule-precedence 65
deny ip any any log rule-precedence 100
ip access-list NAT_inside
deny ip 192.168.1.0/24 192.168.0.0/16 rule-precedence 50
permit ip 192.168.1.0/24 any rule-precedence 100
address range 192.168.1.100 192.168.1.254
dns-server 22.214.171.124 126.96.36.199
wpa-wpa2 psk 0 passw0rd1
wlan wireless bss 1 primary
wlan wireless bss 1 primary
ip address dhcp
ip dhcp client request options all
use ip-access-list in Internet_ACL
ip nat outside
ip address 192.168.1.1/24
no ip dhcp client request options all
ip nat inside
use dhcp-server-policy default
ip nat inside source list NAT_inside interface vlan1 overload
The scenario is similar, but the AP is connected in the LAN.
And have some question....
For example if define vlan15 (inside) is neccesary define IP in the interface!? Can DHCP server work if not !? or IP is neccesary in all AP or only in the VAP!?
Can define static nat using 1 IP for outside!? is neccesary create a VLAN with outside for this!?
pd: the idea is define a wireless without easy access to lan but with controlled access to wan using external firewall like fortigate, firewall is not in the side where is AP.
No matter what, at some point you have to define an IP address inside because a) the clients need to send their traffic to that IP as their default gateway, and b) the NAT mechanism needs this to operate.
You could do that on the controller, for example tunnel the wireless client vlan back to the controller and only assign an IP on the controller.
Or if using a controller-less environment, you need to select one or two APs to be master and backup virtual controllers. These 2 APs need fixed IPs, and their DHCP server needs to be controlled to only run if it is the current active domain manger (dhcp-server activation-criteria rf-domain-manager). There were some bugs around this in earlier wing versions, so make sure you use the latest.