The Server constraints are:

1. Does not support CAPWAP packets from different APs arriving at WLC with same source IP:port.
2. Does not support CAPWAP packets from same AP arriving at WLC with different source IP.
3. Does support CAPWAP packets from same AP arriving at WLC using same source IP and different source port as long as one single source port is used for data and another single source port is used for control

So I don't think this IP Pools solution solves my problem.

The second question I ask is whether this "reuse" behavior of the source port is normal or not.

Yes, fixed port is disabled: https://i.imgur.com/NkGjasH.png

I have is not having one session to the target (I have cases where +150 access points that need to be natted behind the same Public IP = 300 CAPWAP sessions vs same Public IP with same Local Source Port).

So, the WLC on the on the other hand side is not able to distinguish the traffic if it comes from Capwap-DATA or Capwap-CTRL if it comes from the same src-port (and obviously same src-ip)

But now that we know the Host Target limitation, I'm trying to figure out if there's a way around this behavior

The basic SNAT behaviour is not configurable. Take-it-or-leave-it.

Try the IP pool approach that I suggested.

edit: And honestly, I would recommend chasing the WLC vendor, because clearly they don't support general NAT of traffic properly. They should be the ones primarily fixing their own mess up.

---

@pminarik wrote:

Consider applying an IP pool with port-ranges ("fixed port range" or "port block allocation") assigned to a firewall policy just for this specific traffic. The port-ranges will ensure that the SNAT source-ports are shifted into different port ranges.

---

Can you explain this point better? Keep in mind that I must always present my "Natted Devices" to the Target-IP with the same Public IP for both Services (Capwap CTRL = UDP/5246 + Capwap DATA = UDP/5247)

Thanks!

This type of IP pool will assign port-ranges to individual LAN clients.
LAN-1 -> srcports N ~ N+100

LAN-2 ->srcports M ~ M+100

etc.

This should in theory naturally ensure that two APs don't share the same SNAT port across different sessions to WLC's different destination ports.

-----------------------

One more idea. If you want to try something fancy, you can try using VIPs to force static SNAT. Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-a-VIP-s-External-IP-Address-for...

This will only work if your APs can be statically configured to use one specific source-port for the traffic, different for each.

VIP: <WLC>:<CAPWAP-port-X> -> <AP-LAN-IP>:<static-srcport>
- repeat for each AP
- Add it into a deny policy in the WAN->LAN direction (won't do anything, except trigger the desired SNAT behaviour; all VIPs can be in a single policy)

- ensure that the AP->WLC traffic passes through a LAN->WAN (reverse to the VIP) policy with basic SNAT ("using egress interface IP").

All APs always use the same Source Port (UDP/5270) for both CAPWAP CTRL+DATA flows and I can't change it.

The solution of assigning small pools of src-ports for each individual IP LAN Client seems fine, Could you give me some links that explain how to configure this?

Samples for both IP pools are shown here: https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/29961/dynamic-snat