This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How does a Central managed APX NAT Guest WiFi interact with the XGS Gateway?


This is more of an academic question.

I'm setting up a new Guest WiFi at my office and using APXs managed by SC and it seems to be working. I have it set to NAT rather than Bridged, but I'm puzzled by how it gets through the XGS. The APX's DHCP Server hands a client an address, and I don't see that address (or network) in the gateway anywhere, but clients can get out to the internet, so it must be going through the gateway ... somewhere.

Does it use some sort of VLAN but hidden from admins to isolate the traffic? Would any XGS firewall rules apply?



This thread was automatically locked due to age.
  • My question would be: is this setting actually causing the AP to do NAT? If so, by definition it would say that all client traffic from that AP (on that SSID) will only have the AP's IP address. So any rules that would attempt to use Source IP (other than the AP's IP) would not be triggered, since they'll never see traffic from that SSID (across that VLAN) with any IP except the APs.

    But I've never seen that option before, so I'm just guessing.

    If I'm right, you could still apply specific rules to that SSID, do content or destination URL filtering, IPS, etc, etc, but you could never do something based on a client's IP or user. Just a guess, though.

  • NAT in Guest networks will basically use the APX IP to NAT the traffic. So you do not have any way to separate this on a firewall level. 

    It is more likely for the smaller deployments or the deployments without a firewall product at all.

    Better to use the Bridge approach, as it will bridge the IP (DHCP) to the client. So to speak. And the APX will do a only firewalling. 


  • Thank you. I wasn't looking to do anything specific. I just was curious how the traffic got through the gateway when there's no evidence of that network even existing on the gateway.