Hello,
I have an MX64 firewall and recently got some new Meraki MR33 access points. I am trying to configure 1 SSID for Internal and 1 for guest. My main issue is what seems to be the best / main option for the guest network is NAT mode, which uses IP addresses in the 10.0.0.0/8 range. Unfortunately, I already use 10.0.0.0 internally.
My current configuration uses two VLAN’s. On one, Internal computers get DHCP from a Windows 2012 R2 server. On the other, guest computers on Wi-Fi get DHCP from the MX64 (10.0.2.0/24). I almost wish I could keep it… but I already paid for the AP’s. I also have a new Ubiquiti switch since I am out of space on the existing.
I think I have a few options and would really appreciate the advice.
Hopefully that all makes sense. I would really appreciate any advice.
@bismarckpalm wrote:My main issue is what seems to be the best / main option for the guest network is NAT mode, which uses IP addresses in the 10.0.0.0/8 range. Unfortunately, I already use 10.0.0.0 internally.
This doesn't matter thankfully. The NAT mode means that the AP is actually NATing the clients, so the client see's the AP as his gateway/DNS etc. AP will just proxy all the traffic to your MX and send it out to the internet etc.
>Configure 2 VLANs on my switch - 1 for Wi-Fi guests, 1 for internal - use Layer 3 roaming for both the internal and guest SSID’s. I think this is similar to what I have now? Do you think I can I configure this to be as secure as the isolated 10.0.0.0/8 offered by the NAT mode?
I would go for two VLANs. Configure the SSIDs to use bridging, not layer 3 roaming. Create a group policy on the MX and apply it to the guest VLAN. In that group policy create firewall rules blocking access to Internal resources.
Thank you for the suggestions! Any thoughts on #4? Would it be too much to move the DNS and DHCP to the MX64?
I prefer to keep DHCP on an AD server when I can, for production vlans. An MX won't let you cancel an existing lease one by one, and that's something I have to do semi-regularly for my clients.
If I've got a separately configured vlan for a guest network, then DHCP goes on the MX and I make sure the firewall rules block access between my production vlan(s) and my guest vlan.