Have not started this yet but have a very remote office that requires access to a NAS device over a LAN. They require no access to WAN and need to be prevented from access to WAN as to not touch the limited quota. The NAS device does need access to LAN to perform very small (5-10mb) cloud backups at night.
Thinking of using an MX64 for the job and ideally have:
Group A (NAS only) - access to LAN + WAN
Group B (All other devices i.e. Printers + Client Computers) - access to LAN . no access to WAN
How would you go about achieving this on the Meraki unit?
As @ww says create L3 firewall rules. However I would create the default rules that prevent access to the WAN (so by default if something is plugged it the network is secure).
Then create a group policy with overrides these firewall rules, and gives access to the WAN. Then apply this group policy to those clients who you want to have additional access (so additional access is given by exception, not default).