We've got an hosted VsZ server with APs on client site. For guest SSID (going on WisPr external server), we use DHCP server function of APs with a VLAN corresponding to avoid creating a vlan and specific on the local network switches and internet router.
So everything is ok with assign dhcp address to clients but firewall detects the network subnet behind DHCP of AP and drop packets because it detects ip spoofing.
Exemple here :
Local LAN subnet client is 192.168.1.X/24 where AP has 192.168.1.19. AP DHCP server created with pool 10.10.10.X/24, wifi client gets 10.10.10.133 but then can't communicate with captive portal and download portal https page.
I got this 10.10.10.133 address wich appears in firewall and is denied. But I must not see this subnet if AP would NAT correctly ?
I made a packet capture on AP LAN Port and we see indeed 10.10.10.133 trying to talk with Guest Server.