Connect APs to ZoneDirector over the public Internet
You can use ZoneDirector to manage APs at remote internet-connected locations, and tunnel selected traffic back to your network.
Your ZoneDirector can be behind a NAT router, but this router requires a static WAN IP address.
Your APs can be behind NAT or double-NAT (e.g. if your ISP uses CGNAT).
You need to NAT incoming UDP 12222,12223 & TCP 443,11443 WAN traffic to your ZoneDirector.
And you need to configure your APs with the public IP address of your ZoneDirector.
A complication is that the ZoneDirector Management Interface also uses port 443, and you don't want to expose this to the internet.
Besides, you might already be serving an unrelated website on port 443.
These problems can be addressed by installing a reverse proxy (if you haven't already), and only passing HTTPS traffic if it matches the specific URL which ZoneDirector AP provisioning requires.
Other Firewalls
This guide configures NAT and HAProxy on pfSense. You will need to adapt the steps to suit other firewalls.
Coexistence with SmartZone
If you also follow the SmartZone Guide then SmartZone and ZoneDirector can share a single WAN IP address.
Coexistence with Unleashed Dedicated Master
Unleashed Dedicated Master shares some URLs with ZoneDirector, so it's not straightforward for ZoneDirector to share a single WAN IP with Unleashed Dedicated Master.
ZoneDirector configuration steps
You should enable Secure AP Provisioning (which is the default for ZoneDirector 10.5.1).
Firewall (pfSense) configuration steps
Add Port Aliases
Firewall
> Aliases
> Ports
> Add
- Properties > Name:
ZoneDirectorUdp
- Port(s) > Port:
12222:12223
Save
Firewall
> Aliases
> Ports
> Add
- Properties > Name:
ZoneDirectorTcp
- Port(s) > Port:
11443
Save
Apply Changes
Add NAT Port Forwards
Firewall
> NAT
> Port Forward
> Add
(the down arrow)
- Edit Redirect Entry > Protocol:
UDP
- Edit Redirect Entry > Destination port range > Custom:
ZoneDirectorUdp
TIP
If you can apply a Source rule (e.g. an ISP's IP range) then do so
- Edit Redirect Entry > Redirect target IP > Address:
<ZoneDirector IP>
- Edit Redirect Entry > Redirect target port > Custom:
ZoneDirectorUdp
Save
Firewall
> NAT
> Port Forward
> Add
(the down arrow)
- Edit Redirect Entry > Protocol:
TCP
- Edit Redirect Entry > Destination port range > Custom:
ZoneDirectorTcp
TIP
If you can apply a Source rule (e.g. an ISP's IP range) then do so
- Edit Redirect Entry > Redirect target IP > Address:
<ZoneDirector IP>
- Edit Redirect Entry > Redirect target port > Custom:
ZoneDirectorTcp
Save
Apply Changes
Add CA and Certificate for HAProxy Frontend
System
> Certificates
> Authorities
> Add
- Create / Edit CA > Descriptive name:
internal-ca
Save
System
> Certificates
> Certificates
> Add/Sign
- Add Sign a New Certificate > Descriptive name:
<external IP>
- Internal Certificate > Certificate authority:
internal-ca
- Internal Certificate > Common name:
<external IP>
- Certificate Attributes > Certificate Type:
Server Certificate
Save
Install HAProxy
System
> Package Manager
> Available Packages
> haproxy-devel
> Install
> Confirm
Create HAProxy Backend
Services
> HAProxy
> Backend
> Add
- Edit HAProxy Backend server pool > Name:
ZoneDirector
- Edit HAProxy Backend server pool > Server list >
add another entry
(the down arrow)- Name:
ZDAPConfig
- Address:
<ZoneDirector IP>
- Port:
443
- Encrypt:
tick
- Name:
- Health checking > Health check method >
none
Save
Apply Changes
Create HAProxy Frontend
Services
> HAProxy
> Frontend
> Add
- Edit HAProxy Frontend > Name:
ZoneDirector
- External adress > Port:
443
- External adress > SSL Offloading:
tick
- Default backend, access control lists and actions > Access Control lists >
add another entry
(the down arrow)- Name:
ZDHost
- Expression:
Host matches:
- Value:
<external IP>
- Name:
- Default backend, access control lists and actions > Access Control lists >
add another entry
(the down arrow)- Name:
ZDFirmwarePath
- Expression:
Path starts with:
- Value:
/firmwares
- Name:
- Default backend, access control lists and actions > Actions >
add another entry
(the down arrow)- Condition acl names:
ZDHost ZDFirmwarePath
- backend:
ZoneDirector
- Condition acl names:
- SSL Offloading > Certificate >
<external IP> (CA: internal-ca) [Server cer]
- SSL Offloading > Certificate > Add ACL for certificate CommonName. (host header matches the "CN" of the certificate):
tick
Save
Apply Changes
Enable HAProxy
Services
> HAProxy
> Settings
- General settings > Enable HAProxy:
tick
- General settings > Maximum connections:
5
(any number here, the # of APs is a safe bet) Save
Apply Changes
(ignore the warnings)
Add Firewall Rule so HAProxy receives traffic
Firewall
> Rules
> WAN
> Add
(the down arrow)
- Destination > Destination >
This firewall (self)
- Destination > Destination Port Range > From:
HTTPS (443)
TIP
If you can apply a Source rule (e.g. an ISP's IP range) then do so
Save
Apply Changes
AP configuration steps
- Install the latest Solo software image onto your AP
- SSH into the AP's CLI and configure the ZoneDirector's static external IP address:-console
set director ip <external IP> reboot