Join us for a month-long contest with heaps of swag to win!Learn More ›
The guest/Meraki DHCP SSID (10.0.0.0/8) is caching internal DNS entries. Laptops inside the LAN that are using the guest SSID that has the setting "clients being blocked from using LAN" are still trying to resolve DNS internal IP addresses.
I want these websites that do have internal DNS records to actually resolve externally to DNS on public addresses. I have tried ipconfig /flushdns, and have tried assigning content filtering to external DNS. I have also created a new SSID with the deny any Local LAN traffic turned on before it has the chance to cache internal DNS records.
Currently the only way I have found to fix the webpages that are trying to resolve internally is allow the internal DNS names and ports into the Layer 3 firewall rules on SSID settings. This is a tedious task for each webpage/DNS entry to put both 80/443. The other problem is larger external webpages like portal.office.com that resolve to Single sign on need alot of ports allowed through at the Layer 3 firewall rules. Is there an easier way to do this, and am I using the best method for not allowing guest network. Thanks in advance for the input.
Hey @MXanderson ,
From the sounds of things you've outgrown the Meraki DHCP SSID use cases and you should consider transitioning to a Guest SSID that bridges into a Guest VLAN. If you're "big" enough, and savvy enough to be running your own internal DNS servers then I think you would benefit greatly from shifting your guest wifi solution to one more scalable and flexible.
The DNS server is the default 10.128.128.128 from client perspective, but the website which is inside lan has private IP address. It should be resolving to the public IP externally but it's trying to resolve internal. There is not custom host file.
>The DNS server is the default 10.128.128.128 from client perspective
That is what clients get - no need to change that. That request goes to the AP.
Change the DNS servers being used by the AP to external DNS servers and the users DNS queries will also go externally (via AP DNS proxy).
I agree with you @PhilipDAth , although I'm curious now that I'm thinking about it. Having never used the feature, but original poster mentioned that he :
and have tried assigning content filtering to external DNS
Would that achieve the same thing as having the DNS that the access points use?
Always thought it would but never validated it.
I changed the DNS to google servers for resolution on the AP lan interface. That did make the it so nslookup would see the external IP address for the sites I was trying. When I used web browser it would not resolve the websites though.