I´d like to ask you some questions about the following solution scenario:
the requisition is, to setup a Guest-WiFi with some MR`s where the SSIDs would be configured in Bridge-Mode where the DHCP-Server is located on an Upstream Router...
To get some Content/URL-Filtering I think of using the Cisco Umbrella Solution which could be integrated in/with the Merkai Dashboard.
In that typical network level Umbrella deployment, pointing DNS to Umbrella alone may not be sufficient to enforce Umbrella protections. Savvy users may attempt to bypass Umbrella by changing the DNS settings on their machines, so the question for me is, if it`s possible to use the integrated MR Firewall configuration to lock down the users on the Guest-Network to prevent any other DNS service from being used to bypass Umbrella settings and protection (e.g. with an ACL-entry "deny udp any any eq 53")?
I`ve read through the following documentation -> https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Modes_for_Client_IP_Assignme...
but I don`t understand the marked area... how can/does the MR restrict that traffic, if it`s send to the Clients LAN Standard-Gateway (which would be the Upstream Router)?
probably someone has already done a deployment which is similar or could tell me if the design approach is suggested at all 🙂
Meraki and Umbrella integration goes beyond simply directing users to Umbrellas DNS servers. You will not need to block access to other DNS services, as this is done by the MR itself.
You can read more below.
It works really well. With MR only or with MX.
However, if you do not to go into that deep of an integration (or using other DNS servers for filtering) you could simply block other DNS servers on the firewall).
some more questions about it...
the DNS Traffic-Flow:
question to Step 2.) does that mean, that it doesn't matter which one or whether a DNS server is assigned in the IP parameters of the DHCP server to the client? or do they already have to be the one`s used from umbrella resolvers?
for my technical understanding of how and on what basis does this interception works and make sure that all DNS-Querys would be intercepted - e.g. "any traffic with a destination port UDP/53"...?!
because the MR source NAT's the packet to his management IP and redirects it to the appropriate Umbrella endpoint == the AP acts like some sort of DNS-Proxy, correct?! Is there a possibilty to see which client/real LAN IP-Adressis has open sessions to the Umbrella Resolver as well?
Probably when using the Security Center to view MR DNS Events = are here the MR Management IP`s or the real Client IP-Adresses shown?
All DNS queries are captured, identified as being from that client on that AP and encrypted. They are then checked and an unencrypted IP is returned to the client that will either take them to the intended site or a block page. Step 2 is simply about how the DNS packet is wrapped so the information can be returned.