We have a customer that occasionally has issues with accessing a specific website.
They have the MR44 units deployed for student use, and frequently they have an issue where the site wont work for them.
They also have a corp. network on the same ap that is not in NAT mode, and NEVER has any issues. I am wondering if there is something in the Meraki DHCP NAT mode that will change the public ip that the requests are coming from?
I know that the website in question has been specifically made to ONLY accept connections from the public IP of the customer. And the fact that the corp. network has never had an issue makes me wonder if there is something specific at play with the Meraki DHCP.
I will also note, that it works sometimes. So the issue is sporadic and impossible to determine when will happen.
Morning @jbates58, in NAT mode the users traffic will be seen coming from the IP of the AP. I presume this traffic still traverses the same firewall as your corp network? Are you using flow preferences to send traffic via different WAN connections?
Darren O'Connor | uccert.co.uk https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
That's what i suspected, however there is some weird issue that we can not diagnose.
The customers website occasionally doesn't work for people connected to the network that uses the Meraki DHCP. The corp. network just uses passthrough to the on-prem DHCP, and it NEVER has an issue.
In terms of setup etc.. its pretty vanilla, basically just plug and play with 2 SSIDs configured, one for Corp. and one for Students. The only other difference is the firewalling blocking various things like streaming etc.. But we have configured the domain that has issues to be allowed in Umbrella, and also whitelisted in Meraki. And this is shown to be working, as the corp. network NEVER has an issue connecting.
So i am thinking that it is something specific to the website, and it rejecting the connection because they have it locked down to only accept connections from the public IP of the customer, but that is only valid if there is something weird where the source IP is changed somewhere along the line.
I will also note that they are not using anything like SWG or VPN etc... its just a super vanilla setup and deployment using their ISP provided modem.