AP230 Routing Problem

  • 1
  • Question
  • Updated 2 years ago
Currently have four Aerohive AP230 that we are evaluating. One of the AP230's is setup with an external IP address and pushing out a private DHCP pool. The devices are able to connect to it but they have limited connection. Below is the running config for the device.

security mac-filter Hive-Profile-1 default permit
security mac-filter PillarOfAutumn default permit
security-object PillarOfAutumn
security-object PillarOfAutumn security protocol-suite wpa2-aes-psk ascii-key aiPcj2skAOPdoKnIgEriq6x8elgy1Bam#VvF8
security-object PillarOfAutumn default-user-profile-attr 1
client-monitor policy default_Policy problem-type association
client-monitor policy default_Policy problem-type authentication
client-monitor policy default_Policy problem-type networking
ssid PillarOfAutumn
ssid PillarOfAutumn security-object PillarOfAutumn
ssid PillarOfAutumn security mac-filter PillarOfAutumn
ssid PillarOfAutumn 11g-rate-set 11-basic 6 9 12 18 24 36 48 54
ssid PillarOfAutumn multicast conversion-to-unicast auto
ssid PillarOfAutumn client-monitor-policy default_Policy
hive Hive-Profile-1
hive Hive-Profile-1 security mac-filter Hive-Profile-1
hive Hive-Profile-1 password LMJgyC3beG1PRASkjrvsPP6knXOnL1VDnAlM#4oQ7SuFZZ2j2NXsJv7fmr3wu39ZeAoJcHHKCeAMeDfYo$qU#Yu2$hobXLRaayYFD
interface eth0 native-vlan 1
interface eth1 native-vlan 1
interface wifi1 mode access
interface mgt0 hive Hive-Profile-1
interface wifi0 ssid PillarOfAutumn
interface wifi1 ssid PillarOfAutumn
interface mgt0.1 vlan 10
interface mgt0.1 ip
no interface mgt0.1 manage ping
kddr enable
hostname CLE-IT
admin root-admin admin password $vzUBUsGgwwmslRk#ceZtpvwoq$MzAXUd9JHr7vhSTJ6maHvehIwyeypA2nYa8I0ET3NQ
interface mgt0 ip 70.137.XXX.XXX
ip route net gateway 70.137.XXX.XX
no interface mgt0 dhcp client
interface mgt0.1 dhcp-server options netmask
interface mgt0.1 dhcp-server options dns1
interface mgt0.1 dhcp-server options dns2
interface mgt0.1 dhcp-server options vendor-specific VCI AEROHIVE
interface mgt0.1 dhcp-server ip-pool
interface mgt0.1 dhcp-server enable
ntp server 0.aerohive.pool.ntp.org
ntp server 1.aerohive.pool.ntp.org second
ntp server 2.aerohive.pool.ntp.org third
ntp server 3.aerohive.pool.ntp.org fourth
clock time-zone -5
config rollback enable
mac-object Samsung-Tablets-044665 mac-range 0446:6500:0000 - 0446:65ff:ffff
mac-object Samsung-Tablets-5C0A5B mac-range 5c0a:5b00:0000 - 5c0a:5bff:ffff
mac-object Samsung-Tablets-6021C0 mac-range 6021:c000:0000 - 6021:c0ff:ffff
mac-object Samsung-Tablets-5CF8A1 mac-range 5cf8:a100:0000 - 5cf8:a1ff:ffff
capwap client server name hmng-prd-va-cwps-01.aerohive.com
capwap client server backup name hmng-prd-va-cwpm-01.aerohive.com
capwap client dtls hm-defined-passphrase viyiRlsSd1jJoC3vkGrNSvn#ep3mLvabJWj5B key-id 1
capwap client vhm-name VHM-SDFZDOBO
no capwap client dtls negotiation enable
user-profile ITDept qos-policy def-user-qos vlan-id 10 attribute 1
no bonjour-gateway enable
application reporting auto
application reporting upload https://cloud-va.aerohive.com:443/afs... time-window 15 admin VHM-SDFZDOBO password M1En$1WUsprhsZ5SkiUJLouIoPznuVa9dBvtrG1OxqrKRUVPedbBw8#jsIuCaYmISlvnI basic
Photo of wpizzijr


  • 1 Post
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
You don't seem to be setting a default gateway for the clients in the DHCP scope. This would be needed if you had an external router or firewall on VLAN 10 providing routing and NAT for clients.

If you want the AP to perform routing and NAT for wireless clients, then you need to do the following:

1. Specify a default gateway address option for clients on the subnet (make this a different address from the mgt0.1 address assigned to the AP) and enable the nat-support parameter on this option (this causes the AP to respond to ARP requests from clients for the default gateway address specified)
2. Create a firewall policy with rules using the "nat" action to allow the AP to hide client traffic behind the public address. You also need a rule to allow DHCP traffic to work properly without being NATted (i.e. first rule needs to allow the DHCP-Server service with an action of "allow" rather than "NAT").

I'm not sure whether all of this configuration is fully supported yet in HiveManager NG, but it can certainly be configured on the command-line and in HiveManager 6 (there are some screenshots of the configuration in HM6 in this post).