Connect seperate subnets without NAT

  • 1
  • Question
  • Updated 2 years ago
I have x20 Zoneflex7343's managed through a ZoneDirector in my school (i'm responsible for the IT) and things have run well for two years :-)

NOW we have purchased 90 iPads and have a problem...

We only have 253 IP's on our subnet and as the local authority manage the firewalls and filtering for the school and are activly blocking NAT I need a method of putting the wireless devices on a seperate subnet without using NAT to route them to the Internet.

Any idea's would be much appreciated. (I'm no Ruckus expert ;-| )
Photo of Simon Howard

Simon Howard

  • 6 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 343 Posts
  • 87 Reply Likes
Shoot me down if I'm missing an obvious gotcha...

Ruckus ZD can be configured as DHCP server with 512 IPs available (200 default).
Have a look at the help and GUI (configure/system) and see if that is of any use.
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
As Max said, you can use the DHCP on the ZD, but running 2 DHCP instances on the same subnet will probably cause you more problems than it will solve. The ZD doesn't support DHCP on more subnets.

To put devices on another subnet and routing them correctly will require you having properly configured L3 switches. Then you will be able to put all APs and the ZD on that network and run ZDs DHCP server for everything. So if I undesrtand your situation correctly you would need to talk to you LA and get them to configure your wired network like that.
Photo of Simon Howard

Simon Howard

  • 6 Posts
  • 0 Reply Likes
Hi Max

Yes I was aware of this, and that was my first port of call when the iPads were introduced and we ran out of available IP's
Unfortunately the ZD wireless subnet uses NAT to route to the LAN subnet (I think) and as NAT is activly blocked by the router\firewall (which I do not manage) no wireless devices can browse the internet which is a bit of issue ;-) they get a network connection with an IP in the correct subnet but I've been told by our ISP the issue is no support for NAT (and there never will be).
That is of course unless I set this up wrongly as I said i'm no Ruckus expert...
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 343 Posts
  • 87 Reply Likes
Or going back 2 steps (at least) - how much control do you have of your network environment?

Are you able to add another IP range in the server DHCP scope to give you more addresses? Would be much more elegant/simple solution.
Photo of Simon Howard

Simon Howard

  • 6 Posts
  • 0 Reply Likes
HI Primož

Sorry I was in the middle of replying to Max when your post came in...

So are you saying the ZD doesn't support more than 1 subnet?
Surley it must be a common requirement to have your wirless LAN and Wired LAN on seperate subnets?

I aggree the subnets could be seperated at our switches in fact we already have a seperate VLAN for the wirless net work but this still presents and issue with Network Address Translation. at some point the IP addresses on the wireless subnet need to be translated to the correct wired LAN subnet for our firewall to allow them out onto the internet. Or am I just getting this completely wrong?
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
No, I'm saying that the DHCP server in the ZD can only supply addresses to one network not to every VLAN. IT can however map WLAN-to-VLAN no problem.

I'm probably not getting something here. I don't know your topology nor what your ISP requires from you. If you don't want to NAT-route you will need some more info from your ISP on what exactly they can give you to play with.
Photo of Simon Howard

Simon Howard

  • 6 Posts
  • 0 Reply Likes
Hi Max

I have control over the LAN so switches/servers... I have no control over the router/firewall/ports webfiltering etc. This is the problem, I can extend the scope easily from the server and that would be that, because the router/firewall is configured to only except traffic from a single subnet limited to the current scope for example 172.26.66.1 - 172.26.66.254 and NAT is activly blocked i can't extend my pool... The local authority cannot extend our pool either as thier pool is spread accross multiple schools so the next octet will already be allocated elsewhere.
I had hoped that the ZD could have handled this through hardware but I am wondering now if somthing like pfSense might be a solution?
Photo of Simon Howard

Simon Howard

  • 6 Posts
  • 0 Reply Likes
Hi Primož

If we could get more cooperation from our ISP (which is the local education authority) I'm sure this would be a lot easier. Unfortunately they are stuck in the stoneage and will not work with us at all. The school would love to go elsewhere but are tied into the LA for our broadband :-(
I am sure it must be possible to allow wireless devices to use a seperate subnet and then route this through to the correct subnet for the router/firewall to except the traffic. The problem is how the header of packets are altered, if NAT was avoided the packet would not know the return route unless ip tables were used but this would be problematic to administer.
Any Idea's would be welcomed but I can't see an easy solution...
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
Yes, there is an appliance that might work for you. It does NAT without doing NAT of sort. IT could work for your case.

It's called a Nomadix Access Gateway. Maybe check them out.
Photo of Simon Howard

Simon Howard

  • 6 Posts
  • 0 Reply Likes
Hi Primož

I will certainly give these guys a call and see if thier hardware can help.

Thank you for your time....
Photo of Philip Coke

Philip Coke

  • 1 Post
  • 0 Reply Likes
Can ZoneDirector do this now?  It's been two years, my situation is I am running out of IP addresses and I want the APs/ZoneDirector to issue IPs from a different subnet.