Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest WiFi, double NAT port forwards

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 757 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nickwhite
      last edited by

      I have some new Aruba WiFi access points on my network, which provides its own "guest" network. Basically, it hands out its own 172.31.98.0/23 addresses to guests, and then NATS them to my LAN (which is 192.168.0.0 address space). I have the pfSense firewall doing outbound NAT for LAN-to-WAN connections, and I also have lots of port forwards to servers back in a DMZ.

      Clients who connect to that guest network, and get NATted by the WiFi, and then sent out the pfSense WAN, can't get back in to the ports which are forwarded to the DMZ.
      Regular clients who connect via the LAN network can get sent out the WAN and get back in the forwarded ports just fine.

      Something with NATting the client before sending it to the pfSense firewall is screwing up the out and back in traversal.

      I realize split DNS is a possible solution, but in this circumstance, it won't really work, as I'm using public DNS servers.

      Is there any way to make this work right?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        That is horrible solution..  Why would you not just put guests on their own vlan and then you could do whatever you wanted to to with port forwarding, limiting access, etc..

        Your prob doing nat reflection for your normal lan clients.  But natting your guests to your typical lan IP is not good solution at all..  What specific aruba AP do you have?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          nickwhite
          last edited by

          Thanks for the reply johnpoz,

          I agree with you, this is a non-optimal solution, but they requested this guest network not be put on a dedicated VLAN since the APs can do VLAN+Firewall (IAP 205s). If this won't work optimally, I'll suggest we reconfigure it using VLANs and attempt to go that route.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Huh??  who requested such a nonsense setup.. Great if you can firewall at the AP… But why would you nat that traffic and then send it over your actual lan?  At a complete loss to anyone would want such a thing... You can not even tell what traffic this guest is from on the lan..

            Natting internally is almost always a bad idea ;)  Firewall it great, run it through 4 of them if you want ;)  But I don't see the point of the nat to your "lan"

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad
              last edited by

              I'm not sure that it's double natting due to pfSense.

              I thought that the remote APs created a tunnel between the AP and the controller either local or on your intranet that's connected to the internet, is the double NAT occurring where controller is located ?

              http://www.arubanetworks.com/assets/ds/DS_AP200Series.pdf

              http://www.arubanetworks.com/products/networking/remote-access-points/

              http://www.arubanetworks.com/assets/eo/EO_RemoteAccess.pdf

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.