Looking to get our guest and BYOD users access over wireless to the corporate AV VLAN.
Our guest and BYOD users are on SSIDs using NAT mode (Clients receive IP addresses in an isolated 10.0.0.0/8 network.) Our corporate AV VLAN contains our Sonos speakers. This is on a VLAN using a different IP scheme (172.X.X.X).
Within the firewall and traffic shaping rules for the SSIDs, what's the ideal way to allow those devices access? I've attached a screenshot of what it's at. I realize it is deny, but what would be the correct way to allow traffic from 10.0.0.0/8 to 172.X.X.X/24 for our Sonos to be reachable for employees to access?
We want to keep them from accessing anything but that AV VLAN.
The Sonos app relies on multicasts that are (by default) only casted onto the local subnet they're on. Opening up the firewall is not enough. You'll need to have some kind of proxy to copy over these multicasts between subnets. The bonjour forwarding functionality may be of help but I'm not sure. I really should take some time to experiment with this as I have Sonos at home but I haven't gotten around to it.
More info about Bonjour Forwarding on Meraki:
had the same planned here but didn't manage to have it working in a safe and easy wasy.
we have BYOD/Guest wifi and corporate wifi.
Sonos should be reachable by both on a dedicated VLAN....
eventually used a spare Airport Extreme to have a dedicated wifi for the sonos and a controller iPad.
employees can connect to this wifi if they want to control the music.
the Airport is connected to Meraki where it's on a dedicated isolated vlan
It just wasn't worth the time playing with firewall rules and multicast proxies :shrug: it felt like leaving doors open for attackers