LWAPP/CAPWAP Behind PfSense

mcamino · Jan 31, 2013, 1:04 PM

Hello. I have an issue, and i am not sure how best to troubleshoot it. We have Cisco LWAPP Access Points setup behind our PfSense firewall. The Cisco AP are setup to connect to our corporate Wireless controller over the internet, and that function works perfectly fine on every other vendor firewall. These access points dont need incoming ports setup, just outgoing ports to establish a private tunnel. In Cisco terms they are running office extend mode via NAT.

The issue is a strange one to me. The access points are able to connect to the remote wireless controller, and they configure themselves properly automatically. The laptops can see the corporate SSID and everything seems to be working fine, but none of our clients can associate with the access points.

If we remove pfsense and put in a netgear cheapo home router, problem goes away.

troubleshooting done:

no block rules for outgoing traffic
standard NAT/PAT rules on WAN to LAN interface
I see the connections under the firewall logs, but i see SINGLE:NO_TRAFFIC on most of the ports.

Can someone help me understand what setting i need to tweak to get this to work?

mcamino · Feb 14, 2013, 11:28 PM

**bump

cskolnick · Feb 24, 2013, 9:52 AM

It's the NAT mapping that uses dynamic PAT.

Try creating a NAT rule for the controller IP that will have a static port checked in the destination section.

mcamino · Mar 4, 2013, 12:57 PM

Could you provide a bit more details on what you are suggesting? I am not sure i understand which NAT i should modify and what ruleset you suggest i use.