cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
knevyn
New Contributor III

BSAP firewall config

Jump to solution

I'm trying to confuger BSAPs to connect to our controller over the internet.

I've configured the firewall a netvanta 3120 with ACLS:

  permit tcp any  host x.x.x.x eq 97   log

  permit tcp any  host x.x.x.x eq 33333   log

  permit tcp any  host x.x.x.x.169 eq 28000   log

I've also configured with the ports open

– IP Protocol 97 (EtherIP): Client Data (AP to AP)

– TCP/UDP 33333: Secure TLS Control Channel

– UDP port 53 (DNS): AP Discovery

– UDP port 69 (TFTP): Firmware

– TCP port 28000: Secure TLS RFIDS Channel

– TCP port 80 (HTTP): Required for Web Auth and/or BlueProtect

– TCP port 443 (HTTPS): Required for Web Auth and/or BlueProtect

– UDP port 1812 (RADIUS): Internal 802.1x Authentication

Even tried all protocol/all ports

Still no luck.

The BSAP status LED is blinking (looks orange to me).

Ethernet blinking

No radio LEDs lit

The BSAP does not appear to be rebooting every 3 minutes.

I have a console connection to the AP.

0 Kudos
1 Solution

Accepted Solutions
erik
Contributor
Contributor

Re: BSAP firewall config

Jump to solution

@knevyn

Okay, thank you. The issue is likely with the vWLAN being NATed. At present, remote BSAPs cannot discover a vWLAN residing behind a NAT even if port forwarding is configured for the necessary services. A feature request has been submitted to support this setup and our product management team is working to prioritize it on the road-map. For now, would it be possible within your network design to assign the vWLAN a routable IP address - perhaps something on the DMZ?

Thanks again,

Erik

View solution in original post

0 Kudos
6 Replies
knevyn
New Contributor III

Re: BSAP firewall config

Jump to solution

permit tcp any  host x.x.x.x.169 eq 28000   log Should be permit tcp any  host x.x.x.x eq 28000   log ---- 169 was last oct

erik
Contributor
Contributor

Re: BSAP firewall config

Jump to solution

@knevyn,

Are you connecting your BSAPs to the vWLAN or BSC architecture? And what form of AP Discovery are you using - e.g., DNS, DHCP option 43, or static?

Thank you,

Erik

knevyn
New Contributor III

Re: BSAP firewall config

Jump to solution

I'm connecting the BSAPs to cable DSL network, separate from our internal network where the vWLAN is. I have the vWLAN NATed out the firewall. I can connect to the vWLAN web interface through the cable DSL. So I believe I've got the ports open correctly.

I'm using static for the BSAPs outside the firewall. I set mode to static then enter the contollers IP address save and reboot.

erik
Contributor
Contributor

Re: BSAP firewall config

Jump to solution

@knevyn

Okay, thank you. The issue is likely with the vWLAN being NATed. At present, remote BSAPs cannot discover a vWLAN residing behind a NAT even if port forwarding is configured for the necessary services. A feature request has been submitted to support this setup and our product management team is working to prioritize it on the road-map. For now, would it be possible within your network design to assign the vWLAN a routable IP address - perhaps something on the DMZ?

Thanks again,

Erik

0 Kudos
knevyn
New Contributor III

Re: BSAP firewall config

Jump to solution

Routable IP is possible.

Any idea of eta for NATing?

erik
Contributor
Contributor

Re: BSAP firewall config

Jump to solution

@knevyn

Regrettably, I can't comment on the ETA of road-map items via the Community. However, I might suggest reaching out to your reseller and/or regional sales manager who could follow-up on this for you.

Thanks again,

Erik