NAT pools?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hey guys,

I have this case, I'm working on PoC with a customer that has 2 separate VLANs which they use for different departments of the same company, they cannot extend those VLANs to the wireless because they are almost full and the network is managed by corporate managers in another country, so all changes take a long time to be requested and approved, not to mention that this is not a production requirement so the managers won't want to make changes for just a PoC.

So we became across with the idea of having two NAT pools into the AP to do NAT for each of the VLANs, is it possible to do it with HiveAPs?
Photo of Erick Muller

Erick Muller

  • 35 Posts
  • 8 Reply Likes

Posted 5 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
The short answer is yes, you can do that. It's not a great solution for roaming, since the clients would be getting an IP address from each AP anew, so if you are doing any SIP or other real time protocols, I would not recommend this setup.

To start, I created two DHCP server objects.
Dog-Net =
interface MGT0.11
VLAN 11
IP address 192.168.11.254/255.255.255.0
Pool = .50 to .250
DHCP options - gateway = 192.168.11.1 (can not be same address you assign above), DNS server 1 = 8.8.8.8
Under Advanced, enable NAT.

Cat-Net =
Interface MGT0.12
VLAN 22
IP address 192.168.22.254/255.255.255.0
Pool = .50 to .250
DHCP options - gateway = 192.168.22.1 (can not be same address you assign above), DNS server 1 = 8.8.8.8
Under Advanced, enable NAT.

Select each AP which you want to offer these NAT zones, Modify, and expand Service Settings.
Select both DHCP servers you created and move the Selected Servers box.
Save the device settings.

Then, I created an 802.1X/EAP-enabled SSID. My RADIUS server delivers two attributes, which I map to user profile 11 (dogs) and user profile 22 (cats).

User Profile Dogs
Attribute 11 (to match the attribute delivered from RADIUS)
Default VLAN = 11 (to match the VLAN set in the DHCP server object)
Expand Firewalls, and create a new From_access policy.
Name=DogNAT
Source IP = 192.168.11.0/255.255.255.0 (to match the range in the DHCP server)
Service = Network Service ANy
Action = NAT
Save the Firewall policy and apply to From-Access.
Set default action to Permit.
Save the user policy.

User Profile Cats
Attribute 22 (to match the attribute delivered from RADIUS)
Default VLAN = 22 (to match the VLAN set in the DHCP server object)
Expand Firewalls, and create a new From_access policy.
Name = CatNAT
Source IP = 192.168.22.0/255.255.255.0 (to match the range in the DHCP server)
Service = Network Service ANy
Action = NAT
Save the Firewall policy and apply to From-Access.
Set default action to Permit.
Save the user policy.

In my case, I have a different user policy as the default, with Cats and Dogs selected as Authentication user profiles.

Push the policy to your AP and test.