Skip to content

Connect APs to ZoneDirector over the public Internet

You can use ZoneDirector to manage APs at remote internet-connected locations, and tunnel selected traffic back to your network.

Your ZoneDirector can be behind a NAT router, but this router requires a static WAN IP address.
Your APs can be behind NAT or double-NAT (e.g. if your ISP uses CGNAT).

You need to NAT incoming UDP 12222,12223 & TCP 443,11443 WAN traffic to your ZoneDirector.
And you need to configure your APs with the public IP address of your ZoneDirector.

A complication is that the ZoneDirector Management Interface also uses port 443, and you don't want to expose this to the internet.
Besides, you might already be serving an unrelated website on port 443.
These problems can be addressed by installing a reverse proxy (if you haven't already), and only passing HTTPS traffic if it matches the specific URL which ZoneDirector AP provisioning requires.

COMPATIBILITY

This guide configures NAT and HAProxy on pfSense. You will need to adapt the steps to suit other firewalls.

ZoneDirector configuration steps

You should enable Secure AP Provisioning (which is the default for ZoneDirector 10.5.1).

Firewall (pfSense) configuration steps

Add Port Aliases

Firewall > Aliases > Ports > Add

  • Properties > Name: ZoneDirectorUdp
  • Port(s) > Port: 12222:12223
  • Save

Firewall > Aliases > Ports > Add

  • Properties > Name: ZoneDirectorTcp
  • Port(s) > Port: 11443
  • Save

Apply Changes

Add NAT Port Forwards

Firewall > NAT > Port Forward > Add (the down arrow)

  • Edit Redirect Entry > Protocol: UDP
  • Edit Redirect Entry > Destination port range > Custom: ZoneDirectorUdp

TIP

If you can apply a Source rule (e.g. an ISP's IP range) then do so

  • Edit Redirect Entry > Redirect target IP > Address: <ZoneDirector IP>
  • Edit Redirect Entry > Redirect target port > Custom: ZoneDirectorUdp
  • Save

Firewall > NAT > Port Forward > Add (the down arrow)

  • Edit Redirect Entry > Destination port range > Custom: ZoneDirectorTcp

TIP

If you can apply a Source rule (e.g. an ISP's IP range) then do so

  • Edit Redirect Entry > Redirect target IP > Address: <ZoneDirector IP>
  • Edit Redirect Entry > Redirect target port > Custom: ZoneDirectorTcp
  • Save

Apply Changes

Add CA and Certificate for HAProxy Frontend

System > Cert. Manager > CAs > Add

  • Create / Edit CA > Descriptive name: internal-ca

System > Cert. Manager > Certificates > Add/Sign

  • Add Sign a New Certificate > Descriptive name: <external IP>
  • Internal Certificate > Certificate authority: internal-ca
  • Internal Certificate > Common name: <external IP>
  • Certificate Attributes > Certificate Type: Server Certificate
  • Save

Install HAProxy

System > Package Manager > Available Packages > haproxy-devel > Install > Confirm

Create HAProxy Backend

Services > HAProxy > Backend > Add

  • Edit HAProxy Backend server pool > Name: ZoneDirector
  • Edit HAProxy Backend server pool > Server list > add another entry (the down arrow)
    • Name: ZDAPConfig
    • Address: <ZoneDirector IP>
    • Port: 443
    • Encrypt: tick
  • Health checking > Health check method > none
  • Save

Apply Changes

Create HAProxy Frontend

Services > HAProxy > Frontend > Add

  • Edit HAProxy Frontend > Name: ZoneDirector
  • External adress > Port: 443
  • External adress > SSL Offloading: tick
  • Default backend, access control lists and actions > Access Control lists > add another entry (the down arrow)
    • Name: ZDHost
    • Expression: Host matches:
    • Value: <external IP>
  • Default backend, access control lists and actions > Access Control lists > add another entry (the down arrow)
    • Name: ZDFirmwarePath
    • Expression: Path starts with:
    • Value: /firmwares/avpport
  • Default backend, access control lists and actions > Actions > add another entry (the down arrow)
    • Condition acl names: ZDHost ZDFirmwarePath
    • backend: ZoneDirector
  • SSL Offloading > Certificate > <external IP> (CA: internal-ca) [Server cer]
  • SSL Offloading > Certificate > Add ACL for certificate CommonName. (host header matches the "CN" of the certificate): tick
  • Save

Apply Changes

Enable HAProxy

Services > HAProxy > Settings

  • General settings > Enable HAProxy: tick
  • General settings > Maximum connections: 5 (any number here, the # of APs is a safe bet)
  • Save

Apply Changes (ignore the warnings)

Add Firewall Rule so HAProxy receives traffic

Firewall > Rules > WAN > Add (the down arrow)

  • Destination > Destination > This firewall (self)
  • Destination > Destination Port Range > From: HTTPS (443)

TIP

If you can apply a Source rule (e.g. an ISP's IP range) then do so

  • Save

Apply Changes

AP configuration steps

  • Install the latest Solo software image onto your AP
  • SSH into the AP's CLI and configure the ZoneDirector's static external IP address:-
    set director ip <external IP>
    reboot

Released under the BSD Zero Clause License.