Tuesday, June 10, 2014

HP MSM760 Guest access setup without NAT on external DHCP server.

2 years ago we installed 2 MSM760 Mobility Controllers as a team across 2 locations. We have 1 SSID for employees, one for guests, and another for the IT staff. This was all installed as part of a major overhaul we did to two of our locations. This was a complete infrastructure overhaul, from the ports on the wall to the core switch.

Initial Setup

Controller 1
Internet Port - SM -
Lan Port - -

Controller 2 Internet Port - - SM

Int 5 - SM -

Core Switch
VLAN 5 - Non routable/no IP address. Untagged for A7,A8 Which are the controller's internet port and int 5 of the firewall, respectively. It's also tagged on our interior network.

vlan 1
   name "DEFAULT_VLAN"
   untagged A1-A6,A9-A22,B1-B8
   ip address <CORE SWITCH IP>
   no untagged A7-A8
   ip igmp
vlan 5
   name "GuestWireless"
   untagged A7-A8
   tagged A18,B4
   no ip address
   ip igmp

Initial Issues

The biggest issue I had was that the Guest network was setup with NAT. Which is fine in a lot of cases where you don't need total visibility into the guest network. Basically all the guest devices would get an IP from my DHCP server and the addresses were NAT'd at the controller before dumped off into a VLAN and finally to my firewall. So all Guest devices looked like 1 IP address to the firewall.

This presents two issues:
  1. My firewall only saw one IP address for all of my guest traffic because of NAT.
  2. Because of issue 1 I could not diagnose a lot of issues with the guest network because there was no visibility.


My plan was to disable NAT so my firewall would see each Guest device as an individual IP address. This would give me the visibility I wanted.


First I needed to set the settings I needed on controller 1. Since they're teamed no necessary changes were needed on the 2nd controller. *NOTE* It's been recommend to me that you adjust the internet port IP to match your master controllers subnet or you could run into issues.

For the Guest VSC I needed to change the DHCP relay agent from Use the following server to Forward to egress interface. Below are screens.



What this does is forward all DHCP requests attached to this VSC out of the internet port of the controller(s).

Next I needed to disable NAT on the internet port. You can find that under Controllers > Network > Ip interfaces > Internet Port
Just uncheck the box.

Next I needed to set the Internet Port IP address inside the range of the IPs I would like to hand out. I chose since the scope was already setup for my previous configuration. You can find the appropriate settings under Controllers > Network > IP Interfaces > Internet Port

Next I set a route to route the guest traffic to the firewall. You can find routes under Team -> Networks > IP Routes. I set a route for all traffic to route to (Firewall). This we'll configure in a moment.

The final thing I had to configure on the controller was Address Allocation. This stumped for me for a while until I read the manual. You can find it under Team > Network > Address Allocation. Since a pair of controllers in a team cannot function as a DHCP server you must use the address allocation tab to specify the server you'd like to handle your DHCP requests. You must also check the box Extend VSC egress subnet to VSC ingress. This is the explanation from HP text:

Extend VSC egress subnet to VSC ingress subnet
When enabled, the MSM760 will alter the DHCP address requests from client stations so that they appear to originate from the network assigned to the VSC egress. This will cause the DHCP server to assign IP addresses on this network to all client stations. The MSM760 handles all mapping between the two subnets internally.
For L2 connected APs operating in controlled mode:
Enable the Client data tunnel option under Settings. (If teaming is active, the client data tunnel is automatically used.)
-Enable the Always tunnel client traffic option on the VSC profile page under Virtual AP > Client data tunnel.
In simpler terms: whatever subnet you set on the internet port is going to be the subnet that the clients are going to get IP addresses from. Same concept as ip helper-address on HP switches.
*NOTE* From HP TEXT: DHCP Relay cannot work via the internet port. If you want to use DHCP you MUST use the "Extend VSC Egress. . ." checkbox. The Primary and secondary server address boxes can be left blank. They're ignored if the checkbox is ticked.
That finishes the setup on the controllers.

The next part will vary on your configuration as most people don't use the same firewall. I'm using a Watchguard 5 series running v11.9. (The latest at this time).

First thing I had to do is change the IP and subnet for my previous guest interface. I noted above that it was Now that I'm not using NAT and my controller is in the subnet, I'd like to use that. So I set the IP to (Which we set as the default route on the controller earlier).

Next I had to decide how to handle DHCP. As it sits right now all DHCP requests are being forwarded out my controller's internet port, hitting my core switch, then hitting my firewall. So I setup a DHCP relay agent on my firewall to forward the requests on to my external DHCP servers.

Next I added a route on the firewall to to 10.24.xxx.xxx (my core switch).

In my case I needed NAT at the firewall so I setup a NAT translation for the network.

This is all that is required on the firewall. (at least in my case)

Make sure you have a route on your core switch similar to this:


This will make sure all guest traffic is sent through the controller before traveling anywhere else. Especially if you have a routable VLAN. I advise against using one unless you have well built ACLs in place on your switches.

1 comment:

  1. Nice information thanks for sharing it..!it will be helpful for people searching this kind of information..