Hi. We have installed a MBX4 for a client a few years ago. The MBX is managing the clients Pepwave Access Points. Now the client wants to install a 3rd party firewall behind the MBX. How can we still have the MBX manage the AP’s when there’s a firewall in between? Can the ports used for AP management be forwarded on the FW? In case, what ports are used?
Hi, @jh1
When enable " support Remote AP " there is a help, about this.
The option enables management of Pepwave APs from the WAN. The AP Controller waits for AP management connections from the remote AP’s network on WAN 1 UDP port 5246.
To enable AP discovery from the WAN, please perform at least one of the following setup options:
Option 1. Define an extended DHCP option “CAPWAP Access Controller addresses” (field 138) in the DHCP server, where the values are the AP Controller’s WAN 1 public IP addresses.
Option 2. Create a local DNS A record for “wlancontroller.” with a value corresponding to the AP Controller’s WAN 1 public IP address.
Can you try?
Hi. thanks for reply. attached sketch of existing + new setup. Are you suggesting wiring WAN1 on MBX to a free LAN port on the firewall to achieve this? All WAN’s are LTE, and no public IP’s. JH
Hi…
Maybe there is another way to do this… Let me suggest one way.
- Configure the WAN 1 tcp/ip address, something like a CGNAT address. Suggestion 100.64.0.1 / 30.
- Allow at the new firewall udp port 5246. (any to any udp port 5246)
- Do you use DHCP for the Peplink APs? Can you use field 138 at dhcp server?
- Can you create a DNS A record ( https://www.cloudflare.com/learning/dns/dns-records/dns-a-record/ ) ?
AND
At your MBX enable
Dashboard > AP Controller > AP Management > External AP
I am not sure… about the tcp/ip address of the AP… You need to test.
Maybe… again… Maybe… you need to allow the tcp/ip address of the AP go to the MBX without NAT (rule must be in the new firewall) and need to build at MBX a " static route "to point back this ap network range to the new firewall.
Thanks! This may work. unfortunately, we’re not supplying the FW, so don’t even know the make… Will try it out once we get to the point when they have the FW installed. JH