Connect remote APs to Unleashed Dedicated Master over the public Internet
You can use Unleashed Dedicated Master to manage APs at remote internet-connected locations, and tunnel selected traffic back to your network.
Your Dedicated Master AP can be behind a NAT router, but this router requires a static WAN IP address.
Your remote APs can be behind NAT or double-NAT (e.g. if your ISP uses CGNAT).
You need to NAT incoming UDP 12222,12223,60000 & TCP 443 WAN traffic to your Dedicated Master AP.
And you need to configure your remote APs with the public IP address of your Dedicated Master AP.
A complication is that the Unleashed Management Interface also uses port 443, and you don't want to expose this to the internet.
Besides, you might already be serving an unrelated website on port 443.
These problems can be addressed by installing a reverse proxy (if you haven't already), and only passing HTTPS traffic if it matches the specific URL which Unleashed AP provisioning requires.
Other Firewalls
This guide configures NAT and HAProxy on pfSense. You will need to adapt the steps to suit other firewalls.
Coexistence with SmartZone
If you also follow the SmartZone Guide then SmartZone and Unleashed Dedicated Master can share a single WAN IP address.
Coexistence with ZoneDirector
Unleashed Dedicated Master shares some URLs with ZoneDirector, so it's not straightforward for ZoneDirector to share a single WAN IP with Unleashed Dedicated Master.
Unleashed configuration steps
You should disable Admin & Services
> System
> System Info
> Access Point Policies
> Approval
(which is enabled by default).
Firewall (pfSense) configuration steps
Add Port Aliases
Firewall
> Aliases
> Ports
> Add
- Properties > Name:
DedicatedMasterUdp
- Port(s) > Port:
12222:12223
Add Port
- Port(s) > Port:
60000
Save
Apply Changes
Add NAT Port Forwards
Firewall
> NAT
> Port Forward
> Add
(the down arrow)
- Edit Redirect Entry > Protocol:
UDP
- Edit Redirect Entry > Destination port range > Custom:
DedicatedMasterUdp
TIP
If you can apply a Source rule (e.g. an ISP's IP range) then do so
- Edit Redirect Entry > Redirect target IP > Address:
<Dedicated Master IP>
- Edit Redirect Entry > Redirect target port > Custom:
DedicatedMasterUdp
Save
Apply Changes
Add CA and Certificate for HAProxy Frontend
System
> Certificates
> Authorities
> Add
- Create / Edit CA > Descriptive name:
internal-ca
Save
System
> Certificates
> Certificates
> Add/Sign
- Add Sign a New Certificate > Descriptive name:
<External IP>
- Internal Certificate > Certificate authority:
internal-ca
- Internal Certificate > Common name:
<External IP>
- Certificate Attributes > Certificate Type:
Server Certificate
Save
Install HAProxy
System
> Package Manager
> Available Packages
> haproxy-devel
> Install
> Confirm
Create HAProxy Backend
Services
> HAProxy
> Backend
> Add
- Edit HAProxy Backend server pool > Name:
DedicatedMaster
- Edit HAProxy Backend server pool > Server list >
add another entry
(the down arrow)- Name:
ULAPConfig
- Address:
<Dedicated Master IP>
- Port:
443
- Encrypt:
tick
- Name:
- Health checking > Health check method >
none
Save
Apply Changes
Create HAProxy Frontend
Services
> HAProxy
> Frontend
> Add
- Edit HAProxy Frontend > Name:
DedicatedMaster
- External adress > Port:
443
- External adress > SSL Offloading:
tick
- Default backend, access control lists and actions > Access Control lists >
add another entry
(the down arrow)- Name:
ULHost
- Expression:
Host matches:
- Value:
<External IP>
- Name:
- Default backend, access control lists and actions > Access Control lists >
add another entry
(the down arrow)- Name:
ULFirmwarePath
- Expression:
Path starts with:
- Value:
/firmwares
- Name:
- Default backend, access control lists and actions > Actions >
add another entry
(the down arrow)- Condition acl names:
ULHost ULFirmwarePath
- backend:
DedicatedMaster
- Condition acl names:
- SSL Offloading > Certificate >
<External IP> (CA: internal-ca) [Server cer]
- SSL Offloading > Certificate > Add ACL for certificate CommonName. (host header matches the "CN" of the certificate):
tick
Save
Apply Changes
Enable HAProxy
Services
> HAProxy
> Settings
- General settings > Enable HAProxy:
tick
- General settings > Maximum connections:
5
(any number here, the # of APs is a safe bet) Save
Apply Changes
(ignore the warnings)
Add Firewall Rule so HAProxy receives traffic
Firewall
> Rules
> WAN
> Add
(the down arrow)
- Destination > Destination >
This firewall (self)
- Destination > Destination Port Range > From:
HTTPS (443)
TIP
If you can apply a Source rule (e.g. an ISP's IP range) then do so
Save
Apply Changes
AP configuration steps
- Install the latest Unleashed software image onto your remote AP
- SSH into the AP's CLI and configure the Dedicated Master's static external IP address:-ruckus-cli
ruckus> en ruckus# ap-mode You have all rights in this mode. ruckus(ap-mode)# set director ip <External IP> ** Please reboot for this change to take effect OK ruckus(ap-mode)# reboot