Initial SetupController 1
Internet Port - 192.168.10.2 SM - 255.255.255.248
Lan Port - 10.24.32.235 - 255.255.248.0
Controller 2 Internet Port - 192.168.10.3 - SM 255.255.255.248
Int 5 - 192.168.10.1 SM - 255.255.255.248
VLAN 5 - Non routable/no IP address. Untagged for A7,A8 Which are the controller's internet port and int 5 of the firewall, respectively. It's also tagged on our interior network.
ip address <CORE SWITCH IP>
no untagged A7-A8
no ip address
Initial IssuesThe biggest issue I had was that the Guest network was setup with NAT. Which is fine in a lot of cases where you don't need total visibility into the guest network. Basically all the guest devices would get an IP from my DHCP server and the addresses were NAT'd at the controller before dumped off into a VLAN and finally to my firewall. So all Guest devices looked like 1 IP address to the firewall.
This presents two issues:
- My firewall only saw one IP address for all of my guest traffic because of NAT.
- Because of issue 1 I could not diagnose a lot of issues with the guest network because there was no visibility.
PlanMy plan was to disable NAT so my firewall would see each Guest device as an individual IP address. This would give me the visibility I wanted.
SolutionFirst I needed to set the settings I needed on controller 1. Since they're teamed no necessary changes were needed on the 2nd controller. *NOTE* It's been recommend to me that you adjust the internet port IP to match your master controllers subnet or you could run into issues.
For the Guest VSC I needed to change the DHCP relay agent from Use the following server to Forward to egress interface. Below are screens.
What this does is forward all DHCP requests attached to this VSC out of the internet port of the controller(s).
Next I needed to disable NAT on the internet port. You can find that under Controllers > Network > Ip interfaces > Internet Port
Next I needed to set the Internet Port IP address inside the range of the IPs I would like to hand out. I chose 172.16.0.1/22 since the scope was already setup for my previous configuration. You can find the appropriate settings under Controllers > Network > IP Interfaces > Internet Port
Next I set a route to route the guest traffic to the firewall. You can find routes under Team -> Networks > IP Routes. I set a route for all 172.16.0.0/22 traffic to route to 172.16.0.2/22 (Firewall). This we'll configure in a moment.
The final thing I had to configure on the controller was Address Allocation. This stumped for me for a while until I read the manual. You can find it under Team > Network > Address Allocation. Since a pair of controllers in a team cannot function as a DHCP server you must use the address allocation tab to specify the server you'd like to handle your DHCP requests. You must also check the box Extend VSC egress subnet to VSC ingress. This is the explanation from HP text:
Extend VSC egress subnet to VSC ingress subnet
When enabled, the MSM760 will alter the DHCP address requests from client stations so that they appear to originate from the network assigned to the VSC egress. This will cause the DHCP server to assign IP addresses on this network to all client stations. The MSM760 handles all mapping between the two subnets internally.
For L2 connected APs operating in controlled mode:
Enable the Client data tunnel option under Settings. (If teaming is active, the client data tunnel is automatically used.)
-Enable the Always tunnel client traffic option on the VSC profile page under Virtual AP > Client data tunnel.
*NOTE* From HP TEXT: DHCP Relay cannot work via the internet port. If you want to use DHCP you MUST use the "Extend VSC Egress. . ." checkbox. The Primary and secondary server address boxes can be left blank. They're ignored if the checkbox is ticked.
That finishes the setup on the controllers.
The next part will vary on your configuration as most people don't use the same firewall. I'm using a Watchguard 5 series running v11.9. (The latest at this time).
First thing I had to do is change the IP and subnet for my previous guest interface. I noted above that it was 192.168.10.1. Now that I'm not using NAT and my controller is in the 172.16.0.1/22 subnet, I'd like to use that. So I set the IP to 172.16.0.2/22. (Which we set as the default route on the controller earlier).
Next I had to decide how to handle DHCP. As it sits right now all DHCP requests are being forwarded out my controller's internet port, hitting my core switch, then hitting my firewall. So I setup a DHCP relay agent on my firewall to forward the requests on to my external DHCP servers.
Next I added a route on the firewall to 172.16.0.0/22 to 10.24.xxx.xxx (my core switch).
In my case I needed NAT at the firewall so I setup a NAT translation for the network.
This is all that is required on the firewall. (at least in my case)
Make sure you have a route on your core switch similar to this:
ip route 172.16.0.1 255.255.255.255 <CONTROLLER MGMT INTERFACE>
This will make sure all guest traffic is sent through the controller before traveling anywhere else. Especially if you have a routable VLAN. I advise against using one unless you have well built ACLs in place on your switches.