Apple classroom on bridged SSID - students offline, ports are open, but layer 3 still blocking

Mang
Comes here often

Apple classroom on bridged SSID - students offline, ports are open, but layer 3 still blocking

Hi folks - i Allow 3284 (tcp) and 3283 (tcp/udp) in my layer 3 firewall rules.  Layer 2 Isolation is disabled.

 

Student and Teacher iPads are on the same SSID.  Student iPad reports as Disconnected in System Preferences.  Teacher Classroom app shows all students "Offline"

 

Connect both iPads to my phone hotspot, Classroom works

Remove "Deny - Any - Local Lan - Any" from my layer 3 firewall, Classroom works

 

Cannot tell what that last rule is denying - any thoughts?

 

Mang_0-1629474112693.png

 

8 REPLIES 8
Bruce
Kind of a big deal

The Deny Any to Local LAN denies all traffic to the private IP address ranges, i.e. 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Hope that helps in figuring things out.

Mang
Comes here often

Yep, I understand that. What I'm trying to figure out is when I change that to Allow, Apple classroom works. So what exactly is it allowing so I can make an explicit rule and change the catch-all back to deny.

Bruce
Kind of a big deal

What IP addressing mode are you using on the SSID? Bridge mode?

 

The firewall rules on the MR are applied to all requests sent from a user on the SSID, which means that the Deny Any to Local LAN is likely also blocking other peer-to-peer protocols that Apple classroom requires within the SSID (even with Layer 2 isolation being disabled), see https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules. Apple’s documentation state you need client-to-client communication, so you’ll probably need an allow rule to allow access to whatever subnet the SSID itself is using.

Mang
Comes here often

Yep, that's what I meant by bridged ssid in the subject.  3285 is no longer necessary, although I did give that a shot but no joy.

 

If I try another bridged SSID with no firewall rules at all, things work as expected.  So, I'm trying to figure out what specifically is being blocked by the default deny so that I can allow it

Mang
Comes here often

I think I may have found the problem.  Student SSID is NAT, teacher SSID is bridged.  Evidently clients connected to the same AP in this scenario will not see one another - even if L3 rules are configured.

 

Wondering if around 1100 ipads is too many to switch my Student SSID to bridged

Bruce
Kind of a big deal

@Mang, yes, that would explain it. An SSID in NAT mode operates as if it has Layer 2 isolation enabled, and it can't be disabled. And being in NAT mode, you can't initiate a connection from outside the SSID to a client on that SSID. See  this article, https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation, the section concerning NAT mode is at the bottom.

Bruce
Kind of a big deal

With regard to is 1,100 clients too many... for one VLAN yes, for one SSID no. You just need to plan it so different areas/buildings use different VLANs for the same SSID - if you're using 802.1x for authentication you could even use Group Policy to restrict students access (e.g. bandwidth, ACLs) compared to teachers.

DJ_WLD
Conversationalist

Thanks, Bruce, helped to solve my issue.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels