Extreme Networks

Hi

  I have a single AP that I want to be used to stage some devices from a public facing server we have.

I want to set the AP to give the devices a when they connect an ip using the onboard dhcp server

but the AP will have an IP from the range we have from ISP.

So the AP will be in the same VLAN as our WAN connection via a firewall.

I have tried to follow this guide: But I’m missing something as the wifi clients won’t connect

so the traffic will leave via vlan 2 ( wan )  Then I need to tie it down to the IP’s of the staging servers.

So the AP will be off the Corp network, then maybe do some firewall rule that would allow the AP to be manged using a port forward from our other leased line

The AP is running 5.9.2.1 The AP is in enterprise mode ( Virtual controller  AP )

Its a bit long, but someone may see what is missing

Thanks in advance

Natting and Guest WLAN setup on a virtual controller:

For this setup the following are used:

Internal/Guest subnet 192.168.100.0/24

Internal/Guest VLAN: VLAN 100

Corp subnet 10.10.10.0/24

Corp VLAN: VLAN 1

Note: All settings must be configured on the VC.

1 –  Create your inside (guest) and outside (corp) VLANs

• From System Profile, create a VLAN for Internal/Guest users, Example: VLAN 100, do not give it an IP address at this point.

Configuration >> Devices >> System Profile >> Select the AP profile >> Interfaces >> Virtual Interfaces >> Add >> VLAN ID: 100 >> Continue >> Exit >> Commit and Save

• Give an IP to VLAN 100 on the virtual controller as an override:

Configuration >> Devices >> Device Overrides >> Select the VC AP>> Interfaces >> Virtual Interfaces >> VLAN 100 >> IPv4 >> Primary IP address 192.168.100.1 >> Exit >> Commit and Save

• Define NAT direction:

Still in the VLAN setting, General tab, under Network Address Translation >> NAT direction: Inside

This AP is now the default gateway.

• Define NAT direction on corp VLAN 1 which is the outside VLAN:

Configuration >> Devices >> Device Overrides >> Select the VC AP >> Interfaces >> Virtual Interfaces >> VLAN  1 >> General >> Network Address Translation >> NAT direction: Outside

2 – Allow these VLANs out of the ge1 port

• Configuration >> Devices >> System profile >> select profile >> Interface >> Ethernet ports >> ge1 >> Switching mode >> Mode: Trunk >> Allowed VLANs: 1,100 >> Ok >> Exit >> Commit and Save

IMPORTANT NOTE: Make sure that the switch port the APs are connected to are also configured to allow the same VLANs.

3 - Configure the DHCP server policy

• Configuration >> Services >> DHCP server >> Add >> Create the policy with the required information (subnet, pool, Default router IP address which is the IP address of your AP, in this case 192.168.100.1)

4 – Enable the DHCP server policy

• Configuration >> Devices >> Device Overrides >> Select VC AP >> Services >>DHCP server>>DHCP Server Policy >> Select the one you created earlier from the drop down menu >> Ok >> Commit and Save

5 - Create NAT ACL

• Configuration >> Security >> IP Firewall >> IPv4 ACL >> Add >> Enter IP Firewall Policy name >> Change only the following: Action: allow>> Source: Network (here we chose 192.168.100.0/24), Destination: Any >> OK >> Commit and Save

6 - Create NAT

• Configuration >> Devices >> Device Overrides >> Select VC AP >> Security >> NAT >> Dynamic NAT (Add) >> Select ACL created earlier from dropdown >> Network inside >> Add Row >>Interface VLAN ID: 1.

GUEST WLAN SETUP:

If the guest WLAN is going to go through corp network you will have to configure an ACL rule to prevent guest users from accessing corp resources:

• Configuration >> Security >> IP Firewall  >> IPv4 ACL >> Add >> Enter ACL name (example  guestacl) >> Add following rules:

1 – Precedence 1

Action: Deny

Source: Network (enter IP of network subnet: Example 192.168.100.0/24 in this case)

Destination: Network (Enter IP of corp network: Example 10.10.10.0/24 in this case)

Protocol: IP

 2 – Precedence 2

Action: Allow

Source: Network (enter IP of network subnet: Example 192.168.100.0/24 in this case)

Destination: Any

Protocol: IP

• Create your Guest WLAN (example: guest-wlan) then from the menu tree, go to the Firewall >> IP Firewall Rules >> Inbound IP Firewall Rules and select the ACL you created earlier from the drop down menu.