Ruckus vSZ-H and 1 public IP

wifi-will

Hi all,

I’ve reached the end of my troubleshooting rope and am hoping the community can help with a challenge I haven’t been able to solve, even with ChatGPT help!

Scenario:

• I manage two separate Ruckus Virtual SmartZone (vSZ) controllers (previously on AWS, each with their own VM and Public IP).

• I’m migrating these to a single dedicated server, but due to limitations at our office location, we only have one public IP available.

• For web-based management, I’ve set up subdomains pointing to my public IP, and can use HAProxy for HTTP/S reverse proxying by FQDN. This works fine for the GUI.

• The real issue is with Ruckus access points: They appear to be hardcoded to connect to the controller on SSH port 22 for discovery/management, and do not allow specifying a custom port.

• From what I can tell, you can’t use NAT or port mapping tricks to forward SSH to different internal vSZ instances based on the original hostname/FQDN the AP tried to reach—the firewall only sees a connection to port 22 from the AP after DNS resolves the FQDN to the same public IP.

• As a result, I can only forward port 22 to a single vSZ instance at a time, and can’t split incoming APs between two controllers.

The problem:

• Is there any way (proxy, NAT, pfsense package, SSH trick, etc) to route SSH (port 22) traffic to different internal vSZs based on which subdomain/FQDN the AP tried to connect to?

• Or is this fundamentally impossible due to how the AP-to-controller tunnel works (i.e. no SNI, no host header, just raw TCP to port 22 after DNS)?

• If there’s no way around this with only one public IP, are there any Ruckus-supported alternatives for separating AP groups (e.g. multi-tenant domains on a single controller) or has anyone found a creative workaround?

Complicating factors:

• APs are distributed at over 100 hotels, all with various routers.

• Solutions requiring changes at the remote site/router or VPN clients on every site are not practical.

Thanks in advance for any insight, workarounds, or pointers to other solutions—whether from the Ruckus world or just from experience with similar enterprise controller setups!

patient0

@wifi-will said in Ruckus vSZ-H and 1 public IP:

From what I can tell, you can’t use NAT or port mapping tricks to forward SSH to different internal vSZ instances based on the original hostname/FQDN the AP tried to reach—the firewall only sees a connection to port 22 from the AP after DNS resolves the FQDN to the same public IP.

But can you not forward based on the (public) source IP of the request? Request from <Source IP> to <Public IP> port 22 -> redirect <vSZ>. And set host alias with the FQDN and use that in the rule.

pfSense: Port Forward Rule Options and there the "Source:" paragraph.

Or do multiple APs access different vSZs from the same public source IP?

wifi-will

@patient0 i guess, yes, that could be a way to do it. Although each site has its own IP, and sometimes dynamic, it would be possible to set this up. I guess I would setup a rule for every site using a source rule right?

patient0

@wifi-will said in Ruckus vSZ-H and 1 public IP:

I guess I would setup a rule for every site using a source rule right?

That would not be necessary, an alias can have lot's host aliases. You would add all the FQDN that go to one vSZ into one alias and the others in another alias.
And host alias can be a list of FQDN and IPs.

The FQDN get resolved by pfSense at a certain interval - not sure right now, every hour every 5 minute?

Addition: pfSense Doc: Hostnames in Aliases:

"The firewall periodically resolves and updates hostname entries in host or network type aliases. The default interval is 300 seconds (5 minutes). This behavior can be changed by adjusting the Aliases Hostnames Resolve Interval."