Client IP Addressing
NAT Mode
In NAT mode, the EnGenius APs run as DHCP servers to assign IP addresses to wireless clients out of a private 172.x.x.x IP address pool behind a NAT.
NAT mode should be enabled when any of the following is true:
Wireless clients associated to the SSID only require Internet access, not access to local wired or wireless resources.
There is no DHCP server on the LAN that can assign IP addresses to the wireless clients.
There is a DHCP server on the LAN, but it does not have enough IP addresses to assign to wireless clients
The implications of enabling NAT mode are as follows:
No NAT client can be talked to the other NAT client, neither same SSID nor different SSID (client isolation enabled and block internal routing)
Change the IP range of CP DNS to be same as AP DNS (172.16-23.0.0/16)
Use Cases
NAT mode works well for providing a wireless guest network since it puts clients on a private wireless network with automatic addressing.
Diagram
When an SSID is configured in NAT Mode, wireless clients will point to the access point as their DNS server. The AP then acts as a DNS proxy and will forward clients' DNS queries to its configured DNS server.
Configuring Custom DNS for an SSID in NAT Mode
This allows you to set custom DNS servers for a NAT SSID, instead of using the AP's DNS server. This is typically used to forward NAT SSID clients to a DNS server with custom content filtering.
Configuration
1. Navigate to Configure > SSID, then choose one SSID to customize the DNS settings.
2. Locate the Client IP mode and choose NAT mode then click Custom DNS.
3. Enter the preferred Custom DNS IP addresses.
4. Click Apply.
Bridge Mode
In bridge mode, the APs act as bridges, allowing wireless clients to obtain their IP addresses from an upstream DHCP server.
Bridge mode should be enabled when the following is true:
Wired and wireless clients in the network need to reach each other (e.g., a wireless laptop needs to discover the IP address of a network printer, or wired desktop needs to connect to a wireless surveillance camera).
The implications of enabling Bridge mode are as follows:
Wired and wireless clients have IP addresses in the same subnet
User Cases
Bridge mode works well in most circumstances, particularly for Roaming. and is the simplest option to put wireless clients on the LAN.
Configuration
1. Navigate to Configure > SSID , then choose one SSID.
2. Locate the Client IP mode and choose Bridge mode then click Apply.
If you configure Bridge mode on two or more SSIDs in the same network, it means that these Clients have IP addresses in the same subnet.
EoGRE
the EoGRE (Ethernet over GRE, or Layer 2 GRE tunnel ) is to build a GRE tunnel between AP and the remote site, so all traffic of the “EoGRE-enabled” SSID will go through the encrypted tunnel to the remote service center
EoGRE tunnel
When SSID’s EoGRE is enabled, all traffic of connecting clients will be tunneled by EoGRE to forward to TGW (Tunnel Gateway)
The connected client then sends a DHCP request to TGW to get an IP address
Option 82 can be enabled to provide more information for the DHCP server to assign IP accordingly.
DHCP Option 82
DHCP option 82 (also known as the DHCP relay agent information option) is used to prevent DHCP client requests from untrusted sources. The DHCP relay agent will insert more information of “circuit ID” to identify the request is from, say, which AP BSSID (radio mac), which SSID name, and which VLAN ID…, so the DHCP server can identify if the request is from an authorized source, and bases on the information to assign IP.
Circuit ID usually includes which ESSID (SSID name) and VLAN ID the client is connecting to. Remote ID usually includes which AP (AP MAC and BSSID - Radio MAC) is relaying the DHCP requests.
Users can define the fields to add to the Circuit ID and Remote ID. EnGenius Option 82 provides options as below:
AP Ethernet MAC
AP Radio MAC
SSID Name
SSID Type
VLAN ID
Configuration
1. Navigate to Configure > SSID , then choose one SSID.
2. Locate the Client IP mode and choose Tunnel (EoGRE).
3. Choose the VLAN (the default value of “VLAN” is SSID default VLAN. If the value is changed, then it will override the SSID default VLAN ).
4. Input the Tunnel Gateway IP ( the IP of the remote site the GRE tunnel will be connecting to ).
5. Decide to enable the DHCP option-82, if yes, Input Delimiter ( how the field is separated in the option 82 frames) and select the Circuit ID and Remote ID and then click Apply.
AP firmware is required 1.x.45 or above.
Last updated