I have an MX64 firewall and recently got some new Meraki MR33 access points. I am trying to configure 1 SSID for Internal and 1 for guest. My main issue is what seems to be the best / main option for the guest network is NAT mode, which uses IP addresses in the 10.0.0.0/8 range. Unfortunately, I already use 10.0.0.0 internally.
My current configuration uses two VLAN’s. On one, Internal computers get DHCP from a Windows 2012 R2 server. On the other, guest computers on Wi-Fi get DHCP from the MX64 (10.0.2.0/24). I almost wish I could keep it… but I already paid for the AP’s. I also have a new Ubiquiti switch since I am out of space on the existing.
I think I have a few options and would really appreciate the advice.
- Change internal IP addressing, using something like 10.0.2.0 internally and NAT mode for the wireless guest network – I’m afraid this would cause a lot of problems and think I would like to avoid it.
- Use NAT mode: Use Meraki DHCP for the guest network and hope I never have conflicts with an IP already distributed and in use internally. The 2012 server continues to be the DHCP server for internal computers. If I use this option, do you think it is best to plug the AP’s into the MX64 or my switch?
- Configure 2 VLANs on my switch - 1 for Wi-Fi guests, 1 for internal - use Layer 3 roaming for both the internal and guest SSID’s. I think this is similar to what I have now? Do you think I can I configure this to be as secure as the isolated 10.0.0.0/8 offered by the NAT mode?
- Move DHCP from Windows 2012 R2 to the MX64 and keep using the 10.0.0.0 addressing for all computers on one VLAN. I kind of like this option because of the ability to use OpenDNS, but will I run into issues with Active Directory?
- Other options?
Hopefully that all makes sense. I would really appreciate any advice.