Controllerless Networks

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Have you configured E0 as downlink (bridging) on the point APs?

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Have you configured E0 as downlink (bridging) on the point APs?

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Can you get a packet capture on the uplink from the portal and validate that the return traffic is reaching the portal AP?

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

You can refer to this technote that covers most aspect of mesh network with Aruba Instant. It covers your scenario too.

Can you get a packet capture on the uplink from the portal and validate that the return traffic is reaching the portal AP?

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Can you get a packet capture on the uplink from the portal and validate that the return traffic is reaching the portal AP?

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

I have done a packet capture, at both the portal and the point node using debug pkt. 

When the client is connected to the point, I see the outgoing packets on both the point and the portal, as well as on the router. I then see the ping reply on the return path received by the router, then forwarded to the interface where the portal AP is configured. However, on the portal AP, I do not see the reply being received by neither the portal nor the point. It's as thought the portal is ignoring.

When the client is connected to the portal node, I the same on the outgoing path, and I do see the packet response on the AP, before it gets back to the client.

The packet capture on the router, in both cases, appears the same.

Can you get a packet capture on the uplink from the portal and validate that the return traffic is reaching the portal AP?

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Go ahead and configure the uplink switch native VLAN to 1 rather than blank/0 in the system configuration.

I have done a packet capture, at both the portal and the point node using debug pkt. 

When the client is connected to the point, I see the outgoing packets on both the point and the portal, as well as on the router. I then see the ping reply on the return path received by the router, then forwarded to the interface where the portal AP is configured. However, on the portal AP, I do not see the reply being received by neither the portal nor the point. It's as thought the portal is ignoring.

When the client is connected to the portal node, I the same on the outgoing path, and I do see the packet response on the AP, before it gets back to the client.

The packet capture on the router, in both cases, appears the same.

Can you get a packet capture on the uplink from the portal and validate that the return traffic is reaching the portal AP?

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Set VLAN to 1, but still no change. Here's a datapath bridge output, just in case I'm missing something obvious.

A quick legend of devices:

a8:bd:27:ca:63:90 -- Point node  

34:fc:b9:cf:16:26 -- Portal node

00:1A:8C:47:3E:60  -- the gateway/router

A8:64:F1:CE:37:09 -- the wireless client

Go ahead and configure the uplink switch native VLAN to 1 rather than blank/0 in the system configuration.

I have done a packet capture, at both the portal and the point node using debug pkt. 

When the client is connected to the point, I see the outgoing packets on both the point and the portal, as well as on the router. I then see the ping reply on the return path received by the router, then forwarded to the interface where the portal AP is configured. However, on the portal AP, I do not see the reply being received by neither the portal nor the point. It's as thought the portal is ignoring.

When the client is connected to the portal node, I the same on the outgoing path, and I do see the packet response on the AP, before it gets back to the client.

The packet capture on the router, in both cases, appears the same.

Can you get a packet capture on the uplink from the portal and validate that the return traffic is reaching the portal AP?

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

I can't currently mirror your exact setup, but with AP-303H running IAP 8.12.0.2 and a simple VC based mesh cluster, I'm not seeing the issue.

If you haven't opened a case with TAC on this, I'd recommend doing so.

Set VLAN to 1, but still no change. Here's a datapath bridge output, just in case I'm missing something obvious.

A quick legend of devices:

a8:bd:27:ca:63:90 -- Point node  

34:fc:b9:cf:16:26 -- Portal node

00:1A:8C:47:3E:60  -- the gateway/router

A8:64:F1:CE:37:09 -- the wireless client

Go ahead and configure the uplink switch native VLAN to 1 rather than blank/0 in the system configuration.

I have done a packet capture, at both the portal and the point node using debug pkt. 

When the client is connected to the point, I see the outgoing packets on both the point and the portal, as well as on the router. I then see the ping reply on the return path received by the router, then forwarded to the interface where the portal AP is configured. However, on the portal AP, I do not see the reply being received by neither the portal nor the point. It's as thought the portal is ignoring.

When the client is connected to the portal node, I the same on the outgoing path, and I do see the packet response on the AP, before it gets back to the client.

The packet capture on the router, in both cases, appears the same.

Can you get a packet capture on the uplink from the portal and validate that the return traffic is reaching the portal AP?

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!

Go ahead and configure the uplink switch native VLAN to 1 rather than blank/0 in the system configuration.

I have done a packet capture, at both the portal and the point node using debug pkt. 

When the client is connected to the point, I see the outgoing packets on both the point and the portal, as well as on the router. I then see the ping reply on the return path received by the router, then forwarded to the interface where the portal AP is configured. However, on the portal AP, I do not see the reply being received by neither the portal nor the point. It's as thought the portal is ignoring.

When the client is connected to the portal node, I the same on the outgoing path, and I do see the packet response on the AP, before it gets back to the client.

The packet capture on the router, in both cases, appears the same.

Can you get a packet capture on the uplink from the portal and validate that the return traffic is reaching the portal AP?

Thank you for clarifying. Native VLAN on the router (which the portal node is connected to directly) is default (i.e. VLAN 1). 

I also tried with a different (very basic consumer class) router, but same behavior. It's as though the portal node does not know how to traffic to the point nodes, only where the gateway is the origin - I'm wondering if it has something to do with the ARP tables.

I welcome any ideas. I have a few of the APs, and tried different units, and same issue. I can't seem to wrap my head around this.

Sorry, was asking for the VLAN information from the switch/router side.  What is the native VLAN set to for the downlink from the wired side to the portal?

Honestly, I've not seen this kind of failure, as described, before.  We can see a similar failure when the VLAN isn't getting handled properly between the portal and points but shouldn't see this when running a truly flat and untagged network.

VLAN configuration has not been implemented/changed anywhere on the network - it is all set to default on the APs.

So:

• On the Network definition, clients are assigned a VLAN of 1
• On the AP configuration, the Uplink management VLAN is 0
• Uplink switch native VLAN is unconfigured (so defaulting to 1)

That being said, not sure how this could be a VLAN issue....I would assume that if it were, then the point-node connected clients would have issues accessing not just the external network, but any other device connected to the gateway on the same subnet (however, there is no issue with accessing hosts on the same subnet)

Original Message:
Sent: Sep 23, 2024 10:53 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

What VLAN is set as native for the downlink to the portal?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 23, 2024 10:38 AM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello, 

I had tried enabled bridging on the point APs before as part of troubleshooting, but this did not help. 

Not currently configured as bridged. I will also note that on the point APs, I only have a connection on Eth0 on both to supply power. No data (connected to a power injector)

Original Message:
Sent: Sep 23, 2024 10:20 AM
From: chulcher
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Have you configured E0 as downlink (bridging) on the point APs?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 19, 2024 08:49 PM
From: Arubnoob
Subject: IAP-325 in a mesh - Mesh Point nodes have access to local network only

Hello All,

I have encountered an odd issue with my setup of three IAP-325 APs in a mesh. I have read a variety of documentation, and forum posts, but have not been able to find a solution, and I'm hoping that someone can enlighten me as to what I'm missing and restore my sanity.

As I said, I have three IAP-325 APs in a mesh. Right now, I just want to have a bare configuration, which allows a client to connect to any mesh node, and access local network and internet, without limitation. 

Here's what I'm encountering:

• When a client is connected to the mesh Portal node, the client can access the all local network resources, as well as access the internet. The client can also be accessed by other network devices. No issues.
• When a client is connected to a node in the role of a Point node, it can access (and be accessed from) the local network. It can ping the router. The router can ping the client as well. However, these clients don't have access to the internet. 
• Running a packet capture on the router while connected to a Point node and pinging an external resource, I see the packets coming out to the external network, I can see the reply packets coming in and leaving internal interface bound for the client connected to the Point, but they never get there.
• If I telnet to that point node, I also can ONLY ping internal resources, including the gateway, but not past the gateway.
• No issues if the APs are wired in (i.e. all Portal nodes)

A few quick facts:

• Running version 8.7.0.
• No VLANs configured.
• Network is flat, with one gateway, which is the router.
• DHCP, DNS is provided by the router.
• A single SSID is used (enhanced SSID is turned off)
• Mesh seems to be formed fine.
• I have tried this on a few different versions (with factory resets in between), and have observed the same behavior across all:
  • ArubaInstant_Hercules_6.5.4.27_88283
  • ArubaInstant_Hercules_8.10.0.13_90226
  • ArubaInstant_Hercules_8.7.1.0_77203
• One network, setup for Employee usage, with access set to Unrestricted

Current configuration is posted below. 

version 8.7.1.0-8.7.1virtual-controller-country CAvirtual-controller-key <<REDACTED>>name instant-CA:7A:76terminal-accesstelnet-serverclock timezone none 00 00rf-band allallow-new-apsallowed-ap a8:bd:27:ca:7a:76allowed-ap a8:bd:27:ca:63:90allowed-ap 34:fc:b9:cf:16:26arm wide-bands 5ghz 80mhz-support min-tx-power 18 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode default-access client-aware scanningsyslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless mgmt-user admin <<REDACTED>>wlan access-rule default_wired_port_profile index 0 rule any any match any any any permitwlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permitwlan access-rule MyNetwork index 2 rule any any match any any any permitinbound-firewall rule any any any any match tcp 22 22 permitwlan ssid-profile MyNetwork enable index 0 type employee essid <<REDACTED>> wpa-passphrase <<REDACTED>> opmode wpa2-psk-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64auth-survivability cache-time-out 24wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable httpsblacklist-time 3600auth-failure-blacklist-time 3600ids wireless-containment nonewired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1xwired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1xenet0-port-profile default_wired_port_profileuplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180airgroup disableairgroupservice airplay disable description AirPlayairgroupservice airprint disable description AirPrint

I appreciate any assistance/direction anyone can provide to help me get external network access to my client from any node. 

Many thanks!