I have spent a lot of time troubleshooting this and think I've narrowed down the problem. Here is the setup:
I've got two 4402 controllers running 220.127.116.11. The guest SSID is mapped to a dynamic interface (VLAN). The VLAN is trunked through one switch where it connects to a DSL modem. It's a Siemens DSL modem that does NAT. So essentially from the perspective of a guest user it is a flat network.
I have a DHCP scope set up on the WLCs. When a guest client connects, it receives an address. Then they open a web browser and say their homepage is http://www.google.com. It times out waiting for a DNS reply.
I did a sniffer trace on the port going to the DSL modem. I see the DNS query with a source IP address of the guest client PC and destination address of the DSL modem (which I guess gets NAT'd to the real DNS server). Then I see the DSL modem ARP for the MAC address of the guest client PC. But here's the kicker: nobody replies to the ARP request. And I believe that is why the guest client is timing out.
It works fine if I bypass the DNS capture by using https://18.104.22.168/login.html. Also once I authenticate, DNS from the client PC works great, so I know it's not an issue with NAT.
I'm guessing the WLC should be responding to the ARP request since the guest client PC cannot talk to the gateway at this point in the process. But why is it not answering?
I'd also like to point out that I first tried all of this on 22.214.171.124 but had the same issues.
Thanks for any help you can provide.