Hi folks - i Allow 3284 (tcp) and 3283 (tcp/udp) in my layer 3 firewall rules. Layer 2 Isolation is disabled.
Student and Teacher iPads are on the same SSID. Student iPad reports as Disconnected in System Preferences. Teacher Classroom app shows all students "Offline"
Connect both iPads to my phone hotspot, Classroom works
Remove "Deny - Any - Local Lan - Any" from my layer 3 firewall, Classroom works
Cannot tell what that last rule is denying - any thoughts?
The Deny Any to Local LAN denies all traffic to the private IP address ranges, i.e. 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Hope that helps in figuring things out.
Yep, I understand that. What I'm trying to figure out is when I change that to Allow, Apple classroom works. So what exactly is it allowing so I can make an explicit rule and change the catch-all back to deny.
What IP addressing mode are you using on the SSID? Bridge mode?
The firewall rules on the MR are applied to all requests sent from a user on the SSID, which means that the Deny Any to Local LAN is likely also blocking other peer-to-peer protocols that Apple classroom requires within the SSID (even with Layer 2 isolation being disabled), see https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules. Apple’s documentation state you need client-to-client communication, so you’ll probably need an allow rule to allow access to whatever subnet the SSID itself is using.
Yep, that's what I meant by bridged ssid in the subject. 3285 is no longer necessary, although I did give that a shot but no joy.
If I try another bridged SSID with no firewall rules at all, things work as expected. So, I'm trying to figure out what specifically is being blocked by the default deny so that I can allow it
I think I may have found the problem. Student SSID is NAT, teacher SSID is bridged. Evidently clients connected to the same AP in this scenario will not see one another - even if L3 rules are configured.
Wondering if around 1100 ipads is too many to switch my Student SSID to bridged
@Mang, yes, that would explain it. An SSID in NAT mode operates as if it has Layer 2 isolation enabled, and it can't be disabled. And being in NAT mode, you can't initiate a connection from outside the SSID to a client on that SSID. See this article, https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation, the section concerning NAT mode is at the bottom.
With regard to is 1,100 clients too many... for one VLAN yes, for one SSID no. You just need to plan it so different areas/buildings use different VLANs for the same SSID - if you're using 802.1x for authentication you could even use Group Policy to restrict students access (e.g. bandwidth, ACLs) compared to teachers.
Thanks, Bruce, helped to solve my issue.