Skip to content

Connect remote APs to Unleashed Dedicated Master over the public Internet

You can use Unleashed Dedicated Master to manage APs at remote internet-connected locations, and tunnel selected traffic back to your network.

Your Dedicated Master AP can be behind a NAT router, but this router requires a static WAN IP address.
Your remote APs can be behind NAT or double-NAT (e.g. if your ISP uses CGNAT).

You need to NAT incoming UDP 12222,12223,60000 & TCP 443 WAN traffic to your Dedicated Master AP.
And you need to configure your remote APs with the public IP address of your Dedicated Master AP.

A complication is that the Unleashed Management Interface also uses port 443, and you don't want to expose this to the internet.
Besides, you might already be serving an unrelated website on port 443.
These problems can be addressed by installing a reverse proxy (if you haven't already), and only passing HTTPS traffic if it matches the specific URL which Unleashed AP provisioning requires.

Other Firewalls

This guide configures NAT and HAProxy on pfSense. You will need to adapt the steps to suit other firewalls.

Coexistence with SmartZone

If you also follow the SmartZone Guide then SmartZone and Unleashed Dedicated Master can share a single WAN IP address.

Coexistence with ZoneDirector

Unleashed Dedicated Master shares some URLs with ZoneDirector, so it's not straightforward for ZoneDirector to share a single WAN IP with Unleashed Dedicated Master.

Unleashed configuration steps

You should disable Admin & Services > System > System Info > Access Point Policies > Approval (which is enabled by default).

Firewall (pfSense) configuration steps

Add Port Aliases

Firewall > Aliases > Ports > Add

  • Properties > Name: DedicatedMasterUdp
  • Port(s) > Port: 12222:12223
  • Add Port
  • Port(s) > Port: 60000
  • Save

Apply Changes

Add NAT Port Forwards

Firewall > NAT > Port Forward > Add (the down arrow)

  • Edit Redirect Entry > Protocol: UDP
  • Edit Redirect Entry > Destination port range > Custom: DedicatedMasterUdp

TIP

If you can apply a Source rule (e.g. an ISP's IP range) then do so

  • Edit Redirect Entry > Redirect target IP > Address: <Dedicated Master IP>
  • Edit Redirect Entry > Redirect target port > Custom: DedicatedMasterUdp
  • Save

Apply Changes

Add CA and Certificate for HAProxy Frontend

System > Certificates > Authorities > Add

  • Create / Edit CA > Descriptive name: internal-ca
  • Save

System > Certificates > Certificates > Add/Sign

  • Add Sign a New Certificate > Descriptive name: <External IP>
  • Internal Certificate > Certificate authority: internal-ca
  • Internal Certificate > Common name: <External IP>
  • Certificate Attributes > Certificate Type: Server Certificate
  • Save

Install HAProxy

System > Package Manager > Available Packages > haproxy-devel > Install > Confirm

Create HAProxy Backend

Services > HAProxy > Backend > Add

  • Edit HAProxy Backend server pool > Name: DedicatedMaster
  • Edit HAProxy Backend server pool > Server list > add another entry (the down arrow)
    • Name: ULAPConfig
    • Address: <Dedicated Master IP>
    • Port: 443
    • Encrypt: tick
  • Health checking > Health check method > none
  • Save

Apply Changes

Create HAProxy Frontend

Services > HAProxy > Frontend > Add

  • Edit HAProxy Frontend > Name: DedicatedMaster
  • External adress > Port: 443
  • External adress > SSL Offloading: tick
  • Default backend, access control lists and actions > Access Control lists > add another entry (the down arrow)
    • Name: ULHost
    • Expression: Host matches:
    • Value: <External IP>
  • Default backend, access control lists and actions > Access Control lists > add another entry (the down arrow)
    • Name: ULFirmwarePath
    • Expression: Path starts with:
    • Value: /firmwares
  • Default backend, access control lists and actions > Actions > add another entry (the down arrow)
    • Condition acl names: ULHost ULFirmwarePath
    • backend: DedicatedMaster
  • SSL Offloading > Certificate > <External IP> (CA: internal-ca) [Server cer]
  • SSL Offloading > Certificate > Add ACL for certificate CommonName. (host header matches the "CN" of the certificate): tick
  • Save

Apply Changes

Enable HAProxy

Services > HAProxy > Settings

  • General settings > Enable HAProxy: tick
  • General settings > Maximum connections: 5 (any number here, the # of APs is a safe bet)
  • Save

Apply Changes (ignore the warnings)

Add Firewall Rule so HAProxy receives traffic

Firewall > Rules > WAN > Add (the down arrow)

  • Destination > Destination > This firewall (self)
  • Destination > Destination Port Range > From: HTTPS (443)

TIP

If you can apply a Source rule (e.g. an ISP's IP range) then do so

  • Save

Apply Changes

AP configuration steps

  • Install the latest Unleashed software image onto your remote AP
  • SSH into the AP's CLI and configure the Dedicated Master's static external IP address:-
    ruckus-cli
    ruckus> en
    ruckus# ap-mode
    You have all rights in this mode.
    ruckus(ap-mode)# set director ip <External IP>
    ** Please reboot for this change to take effect
    OK
    ruckus(ap-mode)# reboot

Released under the BSD Zero Clause License.