Configuration to make a Cisco Aironet 1815w work


I'd like to find a good configuration of OpenWRT to allow me to use a Cisco Aironet 1815w linked by ethernet to my router. I need this access point (AP), lent by my company, to be operational behind my modem/router to allow me working from home one day per week. Unfortunately, I was (lately) informed that it is "not compatible with the hardware" given by my ISP (and I'm reluctant to change my ISP right now for this sole reason).

Indeed the Cisco AP can't manage to sync with my company's server when plugged to my ISP modem/router. So I bought a Netgear R7800 modem, installed OpenWRT on it, and used it to replace the ISP router: thanks to the fact that OpenWRT gives access to the DHCP option 60 (not the case of the official Netgear firmware afaik), it was surprisingly easy to connect to the internet via the R7800 instead of my ISP router (just put a ISP specific id in this option, I not even needed to fill a login/password). But the Cisco still doesn't manage to connect to my company server (LED cycling red/yellow/green forever after the initial boot phase of the Cisco AP).

Some technical notes :

  • the R7800 is connected via the ONT of my ISP since I'm using FTTH
  • this AP syncs correctly when tested by a friend who uses a different ISP.
  • I have no access to the admin part of the AP (I can reach the admin interface via HTTP but I don't have the login/password), so I uses a computer of my personal network as a surrogate when I test if the ports are open or not.

Normal it didn't work, I thought, since 2 UDP ports (5246-5247, the CAPWAN ports) need to be open according to my company (and confirmed reading the Cisco documentation). By the way, it seems it is the problem with my ISP router; even when put on the DMZ, the UDP ports remained closed, contrary to TCP ports (buggy firmware according to some forum).
So I tried to 'dive' into LuCI settings to open these ports; first individually (no success, the Cisco didn't sync) then by putting temporarily the Cisco stuff on a "DMZ" by applying the technique described here. It didn't work either.
Using a computer of my network, plus another one connected to internet via my mobile phone (ie with a different IP), I was able to test that UDP ports were open this time (using the "nc -uvz" technique described here).

Getting back to the Cisco documentation, I found that it may be more complex than I thought. Here the interesting part of the doc:

Note: When you are installing a Layer 3 access point on a different subnet than the Cisco wireless LAN controller, be sure that 
- a DHCP server is reachable from the subnet on which you will be installing the access point,
- and that the subnet has a route back to the Cisco wireless LAN controller. 
- Also be sure that the route back to the Cisco wireless LAN controller has destination UDP ports 5246 and 5247 open for CAPWAP communications. 
- Ensure that the route back to the primary, secondary, and tertiary wireless LAN controller allows IP packet fragments. 
- Finally, be sure that if address translation is used, that the access point and the Cisco wireless LAN controller have a static 1-to-1 NAT to an outside address. (Port Address Translation is not supported.

So as far as I understand, it is not just a 'ports opening/forwarding' issue. The last bullet point is particularly obscure for the newbie I am concerning networks.

So the question (sorry for the long introduction):
Could someone here help to decipher these doc requirements and to determine if there is a chance that the combination R7800+OpenWRT could solve my problem (ie allow the Cisco AP to sync)? If yes, what are the good OpenWRT settings to put in LuCI? or via the console if not possible via LuCI (I am not a Linux expert but I am able to connect via SSH to the R7800 and edit some config files if needed)?

Thanks in advance for your help,

At least as I understand it from your description, the employer-supplied equipment expects the remote to be at a constant, public address with the two ports open for UDP traffic.

To accomplish that, I'd try:

  • Set up a DHCP reservation for the Aironet
  • Static NAT your public IP address, UDP, port 5246 to Aironet port 5246
  • Static NAT your public IP address, UDP, port 5247 to Aironet port 5247
  • Open the firewall to incoming UDP 5246-5247, ideally limiting to the source address of your employer

First, thanks to have taken the time to read my post and for your answer.

  • Set up a DHCP reservation for the Aironet

I interpret it as using "Static lease" in the DHCP part of the LuCi interface : I think I did it properly since the Aironet gets always the same IP ( It is probably obvious for you, but sometimes it is confusing for newbies to cope with such equivalent/alternative expressions like this.

  • Static NAT your public IP address, UDP, port 5246 to Aironet port 5246 / Static NAT your public IP address, UDP, port 5247 to Aironet port 5247
  • Open the firewall to incoming UDP 5246-5247, ideally limiting to the source address of your employer

Here I'm not sure on the good way to do this. As badly explained in my post, I tried to do it via the Firewall menu of the LuCI interface by creating "Traffic rules"
Note that at this stage, security is not an issue so I will request my employer the IP of their server once I manage to make the Cisco working, to increase the security.

Could you please indicate me what LuCI should display when these 3 rules are properly set up?
In this kind of format:

Any udp
From any host in any zone                                           Accept input
To any router IP at port 5246 on this device

I tried different combinations. Probably some conflicting ones. Please keep in midn I'm a newbie and I don't master the good use of port opening, forward rule etc... But for my defense, it is the first time I use OpenWRT! When I performed port forwarding in the past, it was on easy examples and on the limited router of my ISP (few choices).

Thanks in advance for any advice you could give.

For the static NAT advice: are these settings correct (as displayed by LuCI)? I've replaced my true public IP by myPublicIP
Or is it something else? I'm a bit lost for 2 reasons:

  • for me it is only port forwarding, except I specify myPublicIP
  • when you specify ports, it is not NAT, but PAT
From any host in wan
Via IP myPublicIP at port 5246

Forward to:
IP, port 5246 in lan
From any host in wan
Via IP myPublicIP at port 5247

Forward to
IP, port 5247 in lan