DHCP Server for Guest network across multiple APs

  • 1
  • Question
  • Updated 3 years ago
  • (Edited)
Read many of the posts on the community regarding setting up the DHCP Server for a guest network, none seems to be having the same trouble we have. Either new firmware work differently or we're doing something really wrong.

We've set an AP as DHCP server on vlan 8. DNS IP is a public IP like OpenDNS. The IP Firewall policy on the user policy for this Access type (SSID) on the From-Access, we have Any Application:DHCP permit and Any Application DNS NAT. Everything works when connected directly to that AP.
The same SSID is applied to other APs without however adding the DHCP Server and vlan 8 is tagged over the network over all other APs. When connected on another AP with this SSID, we do get an ip address from the DHCP server from the principal AP but there is no DNS resolution. 

Since the IP Firewall Policy is applying DNS NAT on the AP that is not the DHCP Server we're guessing this AP is not doing any NAT at all and dropping the packets.

Should we create a different Access type with the same SSID, apply them to the other APs (none dhcp) and permit DHCP rather than NAT? Will the DNS request then NAT when it reaches the default gateway (i.e. the DHCP server AP)? Doesn't seem likely since the IP Firewall applies between the wireless and the AP (I think :S ). A bit loss there, please help..
Photo of absando

absando

  • 3 Posts
  • 0 Reply Likes
  • confused, lost

Posted 3 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Is there a reason you are just not using DNS for the access point firewall rules?

When you create the DHCP server definition to handle DHCP requests in VLAN 8 and assign it the access point automatically creates a sub interface in VLAN 8 and handles everything else automatically.

In the firewall rules I always start with:

  • Any XXXXX Network:DNS Permit
  • Any Any Network:DHCP-Client Permit
  • Any Any Network:DHCP-Server Permit
And this handles your DNS and DHCP.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Wouldn't this allow rogue DHCP servers to operate on clients?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
You can certainly lock the DHCP down to specific IP addresses if that is an issue.

If you have a nice DHCP server you can generally just allow DHCP-Client traffic but I have experienced issues with this configuration when the DHCP service is on an appliance, commonly a firewall. 
(Edited)
Photo of absando

absando

  • 3 Posts
  • 0 Reply Likes
Our router does not see the ip address of the guest network. Without the NAT, the guest cannot route to the Internet. We are running out of IP on our network and with the BYOD initiative we'd rather have a pool of IPs on each site for guests that we can grow as needed without affecting the rest of the WAN. Our config looks a lot like the following but with the mentioned problem.. https://community.aerohive.com/aerohi...
(Edited)
Photo of absando

absando

  • 3 Posts
  • 0 Reply Likes
Seems like in this particular config, the DHCP Server has to be applied to every AP.. :( not idea when you have a lot of APs and have to apply dhcp server individually.. 
Photo of ajay jadhav

ajay jadhav

  • 1 Post
  • 0 Reply Likes
Hi team,

Can i create a local dhcp server on single Aerohive AP acting as a stand alone with one Public IP on Mgt0 interface. Local dhcp server should be natted to Public IP of Mgt0