Guest Wifi with "internal" captive portal

Getting noticed

Guest Wifi with "internal" captive portal


I am asked to design a Guest Wifi architecture for spokes with some basic requirements:

- Guest Wifi user should have access to Internet only

- A single Guest Wifi subnet should be used for all 600+ sites


However, the splash page should be stored in an internal server which is located in the Data Center / hub. This splash page will not be reachable via Internet. 


From my understanding, if the splash page is only reachable from AutoVPN tunnel, I guess that the Guest Wifi VLAN / subnet of each spoke should be advertise to the hub => so we cannot use single Guest Wifi subnet but we should have 1 subnet per spoke and things get more complicated.

Am I correct? Is there any way to meet the requirement? Thanks for your advice.




4 Replies 4
Meraki Employee
Meraki Employee

Can the splash page be replicated in the native splash function of dashboard? That would greatly simplify your design, provide resiliency, and require no VPN tunnel.

Ryan / Meraki SE

If you found this post helpful, please give it Kudos. If my answer solved your problem click Accept as Solution so others can benefit from it.

Hi @Ryan_Miles, the client has their captive portal Ucopia which is working well and therfore, they do not want to change anything.

Any solution for that? Thanks.

Kind of a big deal
Kind of a big deal

I don't think this is a good design.


If you want to write a captive portal integration take a look at the EXCAP guide (option 3).

Here is the developer guide: 


Otherwise, if you want to pursue the layer 2 strategy, you'll need to deploy an MX in VPN concentrator mode wherever your portal server is.  Then configure the SSID to use tunnelling. 

New here

Regarding not making it accessible on the internet, I wonder if you could use some Cloudflare rules to handle this at the DNS level?


One unique aspect of the Meraki captive portal is that it passes in a selection of URL parameters with information such as the device MAC/IP.


You could filter based on this, concealing the splash page unless these URL params are present.

Get notified when there are additional replies to this discussion.