Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎04-13-2012 02:29 PM

BSAP firewall config

Jump to solution

I'm trying to confuger BSAPs to connect to our controller over the internet.

I've configured the firewall a netvanta 3120 with ACLS:

  permit tcp any  host x.x.x.x eq 97   log

  permit tcp any  host x.x.x.x eq 33333   log

  permit tcp any  host x.x.x.x.169 eq 28000   log

I've also configured with the ports open

– IP Protocol 97 (EtherIP): Client Data (AP to AP)

– TCP/UDP 33333: Secure TLS Control Channel

– UDP port 53 (DNS): AP Discovery

– UDP port 69 (TFTP): Firmware

– TCP port 28000: Secure TLS RFIDS Channel

– TCP port 80 (HTTP): Required for Web Auth and/or BlueProtect

– TCP port 443 (HTTPS): Required for Web Auth and/or BlueProtect

– UDP port 1812 (RADIUS): Internal 802.1x Authentication

Even tried all protocol/all ports

Still no luck.

The BSAP status LED is blinking (looks orange to me).

Ethernet blinking

No radio LEDs lit

The BSAP does not appear to be rebooting every 3 minutes.

I have a console connection to the AP.

0 Kudos
Reply
1 Solution

Accepted Solutions
Anonymous
Not applicable
‎04-13-2012 03:57 PM

Re: BSAP firewall config

Jump to solution

@knevyn

Okay, thank you. The issue is likely with the vWLAN being NATed. At present, remote BSAPs cannot discover a vWLAN residing behind a NAT even if port forwarding is configured for the necessary services. A feature request has been submitted to support this setup and our product management team is working to prioritize it on the road-map. For now, would it be possible within your network design to assign the vWLAN a routable IP address - perhaps something on the DMZ?

Thanks again,

Erik

View solution in original post

0 Kudos
Reply
6 Replies
Anonymous
Not applicable
‎04-13-2012 02:35 PM

Re: BSAP firewall config

Jump to solution

permit tcp any  host x.x.x.x.169 eq 28000   log Should be permit tcp any  host x.x.x.x eq 28000   log ---- 169 was last oct

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎04-13-2012 03:01 PM

Re: BSAP firewall config

Jump to solution

@knevyn,

Are you connecting your BSAPs to the vWLAN or BSC architecture? And what form of AP Discovery are you using - e.g., DNS, DHCP option 43, or static?

Thank you,

Erik

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎04-13-2012 03:25 PM

Re: BSAP firewall config

Jump to solution

I'm connecting the BSAPs to cable DSL network, separate from our internal network where the vWLAN is. I have the vWLAN NATed out the firewall. I can connect to the vWLAN web interface through the cable DSL. So I believe I've got the ports open correctly.

I'm using static for the BSAPs outside the firewall. I set mode to static then enter the contollers IP address save and reboot.

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎04-13-2012 03:57 PM

Re: BSAP firewall config

Jump to solution

@knevyn

Okay, thank you. The issue is likely with the vWLAN being NATed. At present, remote BSAPs cannot discover a vWLAN residing behind a NAT even if port forwarding is configured for the necessary services. A feature request has been submitted to support this setup and our product management team is working to prioritize it on the road-map. For now, would it be possible within your network design to assign the vWLAN a routable IP address - perhaps something on the DMZ?

Thanks again,

Erik

0 Kudos
Reply
Anonymous
Not applicable
‎04-13-2012 04:09 PM

Re: BSAP firewall config

Jump to solution

Routable IP is possible.

Any idea of eta for NATing?

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎04-16-2012 12:11 PM

Re: BSAP firewall config

Jump to solution

@knevyn

Regrettably, I can't comment on the ETA of road-map items via the Community. However, I might suggest reaching out to your reseller and/or regional sales manager who could follow-up on this for you.

Thanks again,

Erik

0 Kudos
Accept as Solution Reply