Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LWAPP/CAPWAP Behind PfSense

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcamino
      last edited by

      Hello. I have an issue, and i am not sure how best to troubleshoot it. We have Cisco LWAPP Access Points setup behind our PfSense firewall. The Cisco AP are setup to connect to our corporate Wireless controller over the internet, and that function works perfectly fine on every other vendor firewall. These access points dont need incoming ports setup, just outgoing ports to establish a private tunnel. In Cisco terms they are running office extend mode via NAT.

      The issue is a strange one to me. The access points are able to connect to the remote wireless controller, and they configure themselves properly automatically. The laptops can see the corporate SSID and everything seems to be working fine, but none of our clients can associate with the access points.

      If we remove pfsense and put in a netgear cheapo home router, problem goes away.

      troubleshooting done:

      no block rules for outgoing traffic
      standard NAT/PAT rules on WAN to LAN interface
      I see the connections under the firewall logs, but i see SINGLE:NO_TRAFFIC on most of the ports.

      Can someone help me understand what setting i need to tweak to get this to work?

      1 Reply Last reply Reply Quote 0
      • M
        mcamino
        last edited by

        **bump

        1 Reply Last reply Reply Quote 0
        • C
          cskolnick
          last edited by

          It's the NAT mapping that uses dynamic PAT.

          Try creating a NAT rule for the controller IP that will have a static port checked in the destination section.

          1 Reply Last reply Reply Quote 0
          • M
            mcamino
            last edited by

            Could you provide a bit more details on what you are suggesting? I am not sure i understand which NAT i should modify and what ruleset you suggest i use.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.