AP7522 /AP 6532 Wireless with NAT

  • 0
  • 1
  • Question
  • Updated 12 months ago
  • Answered
Hi!!!!

I need to know how to configure the AP for use NAT in one wireless lan.

Thx.
Photo of Rodrigo Cortes

Rodrigo Cortes

  • 490 Points 250 badge 2x thumb

Posted 12 months ago

  • 0
  • 1
Photo of Christoph S.

Christoph S., Employee

  • 2,590 Points 2k badge 2x thumb
Hello Rodrigo,

Please provide firmware version. Are you using Swift UI or have you switched to Enterprise UI?

Here's a link that might help: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Natting-on-a-WiNG-Express...

Regards,

Chris
Photo of Rodrigo Cortes

Rodrigo Cortes

  • 490 Points 250 badge 2x thumb
Hello Chris...

Is latest firmware in both 5.9 and have Enterprise UI.

Thx.
Photo of Christoph S.

Christoph S., Employee

  • 2,590 Points 2k badge 2x thumb
Here's a link to the how-to document for your perusal: http://documentation.extremenetworks.com/ExtremeWireless/NETWORK_ADDRESS_TRANSLATION_HTG_EN.pdf

Please go over it and let us know if it helps.

Regards,

Chris
Photo of Andrew Webster

Andrew Webster

  • 1,756 Points 1k badge 2x thumb

The PDF is a good in-depth explanation, but sometimes just seeing a working config helps...

Here's a sample CLI config for a setup with 1 AP connected directly to a cable modem, with all the important bits...This may or may-not apply to your situation.

  • There are 2 ACLS, the first one to control what can access the AP remotely, the second one controls how NAT is applied; specifically the deny entry controls NO-NAT behaviour, while permit entry defines what is NATted.
  • A DHCP server policy to assign IP addresses to clients
  • The WLAN definition itself, note that clients are put on VLAN 2.
  • In the device config, vlan1 is considered to be the directly connected to the Internet on which the Internet_ACL is applied, and vlan2 which is local to the AP has the wireless clients on it. 
  • Note the use of the ip nat commands, these control which interfaces are Inside and Outside, as well as how to apply the NAT.
This config is derived from a SOHO configuration I use for teleworkers.


ip access-list Internet_ACL
 permit udp any eq 68 any eq dhcps rule-precedence 40
 permit udp any eq 67 any eq dhcpc rule-precedence 50
 permit tcp remote_management_ip any eq https rule-precedence 60
 permit tcp remote_management_ip any eq ssh rule-precedence 65
 deny ip any any log rule-precedence 100
ip access-list NAT_inside
  deny ip 192.168.1.0/24  192.168.0.0/16 rule-precedence 50
  permit ip 192.168.1.0/24 any rule-precedence 100
  
dhcp-server-policy default
 dhcp-pool Wireless
  network 192.168.1.0/24
  address range 192.168.1.100 192.168.1.254
  domain-name example.com
  default-router 192.168.1.1
  dns-server 8.8.8.8 8.8.4.4
wlan wireless
 ssid wireless
 vlan 2
 bridging-mode local
 encryption ccmp
 authentication-type none
 wpa-wpa2 psk 0 passw0rd1
 
ap6532 xx-xx-xx-xx-xx-xx
interface radio1
 wlan wireless bss 1 primary
 
interface radio2
 wlan wireless bss 1 primary
 
interface vlan1
 description Internet
 ip address dhcp
 ip dhcp client request options all
 use ip-access-list in Internet_ACL
 ip nat outside
interface vlan2
description Clients
 ip address 192.168.1.1/24
 no ip dhcp client request options all
 ip nat inside
 
use dhcp-server-policy default
ip nat inside source list NAT_inside interface vlan1 overload
 

Photo of Rodrigo Cortes

Rodrigo Cortes

  • 490 Points 250 badge 2x thumb
Hi Andrew!

The scenario is similar, but the AP is connected in the LAN.

And have some question....

For example if define vlan15 (inside) is neccesary define IP in the interface!? Can DHCP server work if not !? or IP is neccesary in all AP or only in the VAP!?

Can define static nat using 1 IP for outside!? is neccesary create a VLAN with outside for this!?

Thx

pd: the idea is define a wireless without easy access to lan but with controlled access to wan using external firewall like fortigate, firewall is not in the side where is AP.
Photo of Andrew Webster

Andrew Webster

  • 1,756 Points 1k badge 2x thumb

No matter what, at some point you have to define an IP address inside because a) the clients need to send their traffic to that IP as their default gateway, and b) the NAT mechanism needs this to operate.

You could do that on the controller, for example tunnel the wireless client vlan back to the controller and only assign an IP on the controller.

Or if using a controller-less environment, you need to select one or two APs to be master and backup virtual controllers.  These 2 APs need fixed IPs, and their DHCP server needs to be controlled to only run if it is the current active domain manger (dhcp-server activation-criteria rf-domain-manager).  There were some bugs around this in earlier wing versions, so make sure you use the latest.