Main Nav

As much as I hate it, I’ve been told to setup an open wireless network for our campus.  I created a vlan with access lists that deny  all traffic to inside our network, and created the open SSID to put on it.  Traffic can flow freely now from the open wireless to the internet.


However, I’m using a public DNS for the clients and they’re unable to reach our locally hosted (NAT’d) web servers.  We’re currently using a Cisco ASA at the edge of our network which does all of our NAT’ing.  I could open up the VLAN access list a bit and allow them access to our internal DNS & web servers, but I’d rather not.


Has anyone run into this issue before?  What’s the “best practices” at this point… other than removing the public network in the first place! 


Thanks in advance,




********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at




I do not know what system you are using for wireless. Here at Liberty University, out current Guest wireless system with Aruba is setup much like the Cisco recommended system.


Guest traffic is tunneled from our local controllers to a guest anchor controller that is in a DMZ. The network firewall rules then determine what minimal inside access is allowed. Our local controllers present a captive portal page that users need to click through to accept our terms of service


Aruba’s general recommended setup uses the controller firewall to restrict inside access, as necessary.


We will be moving some of our guest wireless access to a sponsored modes, using the Aruba ClearPass Guest (formerly Amigopod) system.




Bruce Osborne

Network Engineer

IT Network Services


(434) 592-4229



Training Champions for Christ since 1971




We have a separate DNS server in our DMZ just for guest wireless.  That gives us the control to point users at the public or private IPs of necessary servers, as well as access to non-publicly advertised sites if any are needed. 


But as Bruce described, having a controller interface or anchor controller in a DMZ, is what brings it together. 



Wyatt Schill

Network Engineer

Green River CC