cancel
Showing results for 
Search instead for 
Did you mean: 

Connect seperate subnets without NAT

simon_howard_66
New Contributor II
I have x20 Zoneflex7343's managed through a ZoneDirector in my school (i'm responsible for the IT) and things have run well for two years :-)

NOW we have purchased 90 iPads and have a problem...

We only have 253 IP's on our subnet and as the local authority manage the firewalls and filtering for the school and are activly blocking NAT I need a method of putting the wireless devices on a seperate subnet without using NAT to route them to the Internet.

Any idea's would be much appreciated. (I'm no Ruckus expert ;-| )
11 REPLIES 11

simon_howard_66
New Contributor II
HI Primož

Sorry I was in the middle of replying to Max when your post came in...

So are you saying the ZD doesn't support more than 1 subnet?
Surley it must be a common requirement to have your wirless LAN and Wired LAN on seperate subnets?

I aggree the subnets could be seperated at our switches in fact we already have a seperate VLAN for the wirless net work but this still presents and issue with Network Address Translation. at some point the IP addresses on the wireless subnet need to be translated to the correct wired LAN subnet for our firewall to allow them out onto the internet. Or am I just getting this completely wrong?

primoz_marinsek
Valued Contributor
No, I'm saying that the DHCP server in the ZD can only supply addresses to one network not to every VLAN. IT can however map WLAN-to-VLAN no problem.

I'm probably not getting something here. I don't know your topology nor what your ISP requires from you. If you don't want to NAT-route you will need some more info from your ISP on what exactly they can give you to play with.

simon_howard_66
New Contributor II
Hi Max

I have control over the LAN so switches/servers... I have no control over the router/firewall/ports webfiltering etc. This is the problem, I can extend the scope easily from the server and that would be that, because the router/firewall is configured to only except traffic from a single subnet limited to the current scope for example 172.26.66.1 - 172.26.66.254 and NAT is activly blocked i can't extend my pool... The local authority cannot extend our pool either as thier pool is spread accross multiple schools so the next octet will already be allocated elsewhere.
I had hoped that the ZD could have handled this through hardware but I am wondering now if somthing like pfSense might be a solution?

simon_howard_66
New Contributor II
Hi Primož

If we could get more cooperation from our ISP (which is the local education authority) I'm sure this would be a lot easier. Unfortunately they are stuck in the stoneage and will not work with us at all. The school would love to go elsewhere but are tied into the LA for our broadband :-(
I am sure it must be possible to allow wireless devices to use a seperate subnet and then route this through to the correct subnet for the router/firewall to except the traffic. The problem is how the header of packets are altered, if NAT was avoided the packet would not know the return route unless ip tables were used but this would be problematic to administer.
Any Idea's would be welcomed but I can't see an easy solution...

primoz_marinsek
Valued Contributor
Yes, there is an appliance that might work for you. It does NAT without doing NAT of sort. IT could work for your case.

It's called a Nomadix Access Gateway. Maybe check them out.