Guest WiFi, double NAT port forwards



  • I have some new Aruba WiFi access points on my network, which provides its own "guest" network. Basically, it hands out its own 172.31.98.0/23 addresses to guests, and then NATS them to my LAN (which is 192.168.0.0 address space). I have the pfSense firewall doing outbound NAT for LAN-to-WAN connections, and I also have lots of port forwards to servers back in a DMZ.

    Clients who connect to that guest network, and get NATted by the WiFi, and then sent out the pfSense WAN, can't get back in to the ports which are forwarded to the DMZ.
    Regular clients who connect via the LAN network can get sent out the WAN and get back in the forwarded ports just fine.

    Something with NATting the client before sending it to the pfSense firewall is screwing up the out and back in traversal.

    I realize split DNS is a possible solution, but in this circumstance, it won't really work, as I'm using public DNS servers.

    Is there any way to make this work right?

    Thanks!


  • Rebel Alliance Global Moderator

    That is horrible solution..  Why would you not just put guests on their own vlan and then you could do whatever you wanted to to with port forwarding, limiting access, etc..

    Your prob doing nat reflection for your normal lan clients.  But natting your guests to your typical lan IP is not good solution at all..  What specific aruba AP do you have?



  • Thanks for the reply johnpoz,

    I agree with you, this is a non-optimal solution, but they requested this guest network not be put on a dedicated VLAN since the APs can do VLAN+Firewall (IAP 205s). If this won't work optimally, I'll suggest we reconfigure it using VLANs and attempt to go that route.


  • Rebel Alliance Global Moderator

    Huh??  who requested such a nonsense setup.. Great if you can firewall at the AP… But why would you nat that traffic and then send it over your actual lan?  At a complete loss to anyone would want such a thing... You can not even tell what traffic this guest is from on the lan..

    Natting internally is almost always a bad idea ;)  Firewall it great, run it through 4 of them if you want ;)  But I don't see the point of the nat to your "lan"


  • Galactic Empire

    I'm not sure that it's double natting due to pfSense.

    I thought that the remote APs created a tunnel between the AP and the controller either local or on your intranet that's connected to the internet, is the double NAT occurring where controller is located ?

    http://www.arubanetworks.com/assets/ds/DS_AP200Series.pdf

    http://www.arubanetworks.com/products/networking/remote-access-points/

    http://www.arubanetworks.com/assets/eo/EO_RemoteAccess.pdf