AP7522 /AP 6532 Wireless with NAT


Userlevel 1
Hi!!!!

I need to know how to configure the AP for use NAT in one wireless lan.

Thx.

6 replies

Userlevel 5
Hello Rodrigo,

Please provide firmware version. Are you using Swift UI or have you switched to Enterprise UI?

Here's a link that might help: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Natting-on-a-WiNG-Express...

Regards,

Chris
Userlevel 1
Hello Chris...

Is latest firmware in both 5.9 and have Enterprise UI.

Thx.
Userlevel 5
Here's a link to the how-to document for your perusal: http://documentation.extremenetworks.com/ExtremeWireless/NETWORK_ADDRESS_TRANSLATION_HTG_EN.pdf

Please go over it and let us know if it helps.

Regards,

Chris
Userlevel 3
The PDF is a good in-depth explanation, but sometimes just seeing a working config helps...

Here's a sample CLI config for a setup with 1 AP connected directly to a cable modem, with all the important bits...This may or may-not apply to your situation.

  • There are 2 ACLS, the first one to control what can access the AP remotely, the second one controls how NAT is applied; specifically the deny entry controls NO-NAT behaviour, while permit entry defines what is NATted.
  • A DHCP server policy to assign IP addresses to clients
  • The WLAN definition itself, note that clients are put on VLAN 2.
  • In the device config, vlan1 is considered to be the directly connected to the Internet on which the Internet_ACL is applied, and vlan2 which is local to the AP has the wireless clients on it.
  • Note the use of the ip nat commands, these control which interfaces are Inside and Outside, as well as how to apply the NAT.
This config is derived from a SOHO configuration I use for teleworkers.

ip access-list Internet_ACL
permit udp any eq 68 any eq dhcps rule-precedence 40
permit udp any eq 67 any eq dhcpc rule-precedence 50
permit tcp remote_management_ip any eq https rule-precedence 60
permit tcp remote_management_ip any eq ssh rule-precedence 65
deny ip any any log rule-precedence 100 [/code]ip access-list NAT_inside
deny ip 192.168.1.0/24 192.168.0.0/16 rule-precedence 50
permit ip 192.168.1.0/24 any rule-precedence 100

dhcp-server-policy default
dhcp-pool Wireless
network 192.168.1.0/24
address range 192.168.1.100 192.168.1.254
domain-name example.com
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4[/code]wlan wireless
ssid wireless
vlan 2
bridging-mode local
encryption ccmp
authentication-type none
wpa-wpa2 psk 0 passw0rd1

ap6532 xx-xx-xx-xx-xx-xx[/code]interface radio1
wlan wireless bss 1 primary

interface radio2
wlan wireless bss 1 primary

interface vlan1
description Internet
ip address dhcp
ip dhcp client request options all
use ip-access-list in Internet_ACL
ip nat outside[/code]interface vlan2
description Clients
ip address 192.168.1.1/24
no ip dhcp client request options all
ip nat inside

use dhcp-server-policy default[/code]ip nat inside source list NAT_inside interface vlan1 overload
[/code]
Userlevel 1
Hi Andrew!

The scenario is similar, but the AP is connected in the LAN.

And have some question....

For example if define vlan15 (inside) is neccesary define IP in the interface!? Can DHCP server work if not !? or IP is neccesary in all AP or only in the VAP!?

Can define static nat using 1 IP for outside!? is neccesary create a VLAN with outside for this!?

Thx

pd: the idea is define a wireless without easy access to lan but with controlled access to wan using external firewall like fortigate, firewall is not in the side where is AP.
Userlevel 3
No matter what, at some point you have to define an IP address inside because a) the clients need to send their traffic to that IP as their default gateway, and b) the NAT mechanism needs this to operate.

You could do that on the controller, for example tunnel the wireless client vlan back to the controller and only assign an IP on the controller.

Or if using a controller-less environment, you need to select one or two APs to be master and backup virtual controllers. These 2 APs need fixed IPs, and their DHCP server needs to be controlled to only run if it is the current active domain manger (dhcp-server activation-criteria rf-domain-manager). There were some bugs around this in earlier wing versions, so make sure you use the latest.

Reply