topic Single AP7532 - connected to leased line in ExtremeWireless (WiNG)

Single AP7532 - connected to leased line

Phil_storey — Wed, 20 May 2020 19:46:11 GMT

I have a single AP that I want to be used to stage some devices from a public facing server we have.

I want to set the AP to give the devices a when they connect an ip using the onboard dhcp server

but the AP will have an IP from the range we have from ISP.

So the AP will be in the same VLAN as our WAN connection via a firewall.

I have tried to follow this guide: But I’m missing something as the wifi clients won’t connect

so the traffic will leave via vlan 2 ( wan ) Then I need to tie it down to the IP’s of the staging servers.

So the AP will be off the Corp network, then maybe do some firewall rule that would allow the AP to be manged using a port forward from our other leased line

The AP is running 5.9.2.1 The AP is in enterprise mode ( Virtual controller AP )

Its a bit long, but someone may see what is missing

Thanks in advance

Natting and Guest WLAN setup on a virtual controller:

For this setup the following are used:

Internal/Guest subnet 192.168.100.0/24

Internal/Guest VLAN: VLAN 100

Corp subnet 10.10.10.0/24

Corp VLAN: VLAN 1

Note: All settings must be configured on the VC.

1 – Create your inside (guest) and outside (corp) VLANs

From System Profile, create a VLAN for Internal/Guest users, Example: VLAN 100, do not give it an IP address at this point.

Configuration >> Devices >> System Profile >> Select the AP profile >> Interfaces >> Virtual Interfaces >> Add >> VLAN ID: 100 >> Continue >> Exit >> Commit and Save

Give an IP to VLAN 100 on the virtual controller as an override:

Configuration >> Devices >> Device Overrides >> Select the VC AP>> Interfaces >> Virtual Interfaces >> VLAN 100 >> IPv4 >> Primary IP address 192.168.100.1 >> Exit >> Commit and Save

Define NAT direction:

Still in the VLAN setting, General tab, under Network Address Translation >> NAT direction: Inside

This AP is now the default gateway.

Define NAT direction on corp VLAN 1 which is the outside VLAN:

Configuration >> Devices >> Device Overrides >> Select the VC AP >> Interfaces >> Virtual Interfaces >> VLAN 1 >> General >> Network Address Translation >> NAT direction: Outside

2 – Allow these VLANs out of the ge1 port

Configuration >> Devices >> System profile >> select profile >> Interface >> Ethernet ports >> ge1 >> Switching mode >> Mode: Trunk >> Allowed VLANs: 1,100 >> Ok >> Exit >> Commit and Save

IMPORTANT NOTE: Make sure that the switch port the APs are connected to are also configured to allow the same VLANs.

3 - Configure the DHCP server policy

Configuration >> Services >> DHCP server >> Add >> Create the policy with the required information (subnet, pool, Default router IP address which is the IP address of your AP, in this case 192.168.100.1)

4 – Enable the DHCP server policy

Configuration >> Devices >> Device Overrides >> Select VC AP >> Services >>DHCP server>>DHCP Server Policy >> Select the one you created earlier from the drop down menu >> Ok >> Commit and Save

5 - Create NAT ACL

Configuration >> Security >> IP Firewall >> IPv4 ACL >> Add >> Enter IP Firewall Policy name >> Change only the following: Action: allow>> Source: Network (here we chose 192.168.100.0/24), Destination: Any >> OK >> Commit and Save

6 - Create NAT

Configuration >> Devices >> Device Overrides >> Select VC AP >> Security >> NAT >> Dynamic NAT (Add) >> Select ACL created earlier from dropdown >> Network inside >> Add Row >>Interface VLAN ID: 1.

GUEST WLAN SETUP:

If the guest WLAN is going to go through corp network you will have to configure an ACL rule to prevent guest users from accessing corp resources:

Configuration >> Security >> IP Firewall >> IPv4 ACL >> Add >> Enter ACL name (example guestacl) >> Add following rules:

1 – Precedence 1

Action: Deny

Source: Network (enter IP of network subnet: Example 192.168.100.0/24 in this case)

Destination: Network (Enter IP of corp network: Example 10.10.10.0/24 in this case)

Protocol: IP

2 – Precedence 2

Action: Allow

Source: Network (enter IP of network subnet: Example 192.168.100.0/24 in this case)

Destination: Any

Protocol: IP

Create your Guest WLAN (example: guest-wlan) then from the menu tree, go to the Firewall >> IP Firewall Rules >> Inbound IP Firewall Rules and select the ACL you created earlier from the drop down menu.

Re: Single AP7532 - connected to leased line

Tomasz — Thu, 21 May 2020 05:13:32 GMT

Hi Phil,

Quick question for clarity - they won’t connect ie. associate or no IP address is given to them on this guest VLAN? How is the WLAN configured? And is the traffic required to be NAT-ted or left in that guest VLAN?

Kind regards,

Tomasz

Re: Single AP7532 - connected to leased line

Phil_storey — Thu, 21 May 2020 14:32:47 GMT

Hi Tomasz

the laptop can see the network but will not associate so can’t get an IP.

The AP will be connected to a non natted leased line via a network switch in vlan2 so the ap has a public facing IP 105.xxx.xxx.42/27 ( example ) the units to be staged will scan a QR code that has the wifi network and key embedded in the QR code along with details of the server it needs to connect to and the apps it needs to pull from the server.

At present the AP is on the bench, I set the wifi up and wanted to make sure the laptop would get an IP address from the AP dhcp server, so the internal 192.168.xxx.xxx traffic needs to get out on to the net, to get the apps/etc for staging

best regards

Phil

Re: Single AP7532 - connected to leased line

Tomasz — Thu, 21 May 2020 23:22:53 GMT

Hi Phil,

I see.

When you say the laptop can see the network but won’t associate, perhaps it’s too soon to say either DHCP/NAT is well done or with errors... IMHO something on WLAN configuration might have to be checked first: encryption, authentication, any side options and improvements that can cause issues with particular client hardware/software sometimes.

If it’s not an issue, please paste your WLAN config.

Also try to run packet capture and wireless debug. For wireless debug I use ‘remote-debug wireless’ command for that (like ‘remote-debug wireless rf-domain default clients aa:bb:cc:dd:ee:11 max-events 10000 duration 86400 events all’), but it’s especially useful for more than one AP (and running this for an entire site). You can also check ‘service show wireless log-internal’ or ‘show event-history’ if it shows you something relevant.

For packet capture, ‘remote-debug live-pktcap’ or ‘service pktcap’ commands may come in handy.

Just to give you some example, I had a problem with clients not being able to authenticate over 802.1X network and it turned out it was a driver issue on Intel AC card when it saw 802.11r and 11w over the air. Under packet capture I was able to see that WPA handshake is not complete, and in logs I could find some more descriptive message (that allowed me to google for the root cause with success :D).

Please see this for some reference on these debugging options in WiNG: https://1drv.ms/b/s!AvxWpCsRBHSfg0xyeFuPXn_B_m_u?e=0i4bQL

Hope that helps,

Tomasz

Re: Single AP7532 - connected to leased line

Phil_storey — Fri, 22 May 2020 16:23:34 GMT

Hi Tomasz

thankyou for the reply, I’m going to work through the guide I was following, did that all look OK ? or is there bits missing, I have factoryReset the AP, I’ll try and report back later today

Phil

Re: Single AP7532 - connected to leased line

Tomasz — Fri, 22 May 2020 16:26:00 GMT

Hi Phil,

Good luck!

Should you have any questions, just let us know.

Eventually, we could try with some remote session if that helps.

Take care,

Tomasz

Re: Single AP7532 - connected to leased line

Phil_storey — Tue, 26 May 2020 17:33:51 GMT

Hi Tomasz

I have tried again, something I’m doing wrong, If the offer stands for a remote session I would like to take you up on the offer, I have defaulted the AP again ready to restart doing the config again

Phil

Re: Single AP7532 - connected to leased line

Tomasz — Wed, 27 May 2020 03:55:11 GMT

Hi Phil,

Sure, I’d love to give you another pair of eyes to look at it, not a business offer. This week mainly evenings in GMT time zone work for me. Please pm me and let me know when it’s feasible for you to connect.

Take care,

Tomasz

Re: Single AP7532 - connected to leased line

Phil_storey — Tue, 09 Jun 2020 13:41:08 GMT

Hi Tomasz

thankyou for your assistance on this, It seems to be working now, just got to tie it down a bit from the WAN side of things

Phil