NAT Mode

SOLVED
RobMcLean
Getting noticed

NAT Mode

I have a simple question:

 

What VLAN does traffic from a SSID set to NAT mode traverse?

 

 

1 ACCEPTED SOLUTION

Since NAT is performed directly on the AP, traffic will traverse on the same VLAN as the AP has it's IP address.

So if the AP has an IP address 192.168.5.0/24 on vlan 5, traffic traverses on vlan 5.
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

View solution in original post

12 REPLIES 12
kYutobi
Kind of a big deal

The implications of enabling NAT mode are as follows:

  • Devices outside of the wireless network cannot initiate a connection to a wireless client.
  • Wireless clients cannot use Layer 2 discovery protocols to find other devices on either the wired or wireless network.
  • Legacy VPN clients (i.e., those that do not support NAT Traversal) may not be able to establish IPSec tunnels over the wireless network. (One workaround is to upgrade the VPN client or configure the VPN client to establish an IPSec tunnel over TCP, e.g. SSL.) 
  • VLAN Tagging wireless traffic is not supported in NAT mode.  

Please note that each AP will NAT to its own management IP address. As a result, LAN flows will be interrupted when the client roams between APs.

The DHCP service for NAT mode will only hand out addresses in the 10.0.0.0/8 subnet. SSIDs in NAT mode can still be used on wired networks already using a 10.x.x.x address space, however clients on the NAT SSID may be unable to communicate with these networks.

Use Cases

NAT mode works well for providing a wireless guest network, since it puts clients on a private wireless network with automatic addressing. Layer 3 firewall rules can also be used to quickly limit or block access to network resources.

Enthusiast

I saw that article, but it doesn't answer the question.

 

  • VLAN Tagging wireless traffic is not supported in NAT mode. 
    • Does this mean is it untagged traffic?
    • Does traffic traverse the native VLAN since it is "untagged?"
    • Or since it is NATing the management IP does it traverse the management VLAN?

Since NAT is performed directly on the AP, traffic will traverse on the same VLAN as the AP has it's IP address.

So if the AP has an IP address 192.168.5.0/24 on vlan 5, traffic traverses on vlan 5.
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Interesting, but doesn't this contradict the practice of completely segmenting management traffic from all user traffic?

I suppose it is, but then again, I'd normally only use Meraki DHCP on deployments that quickly need guest WiFi, and only able to use single vlans.

 

Then again, all clients are isolated from eachother. No client can talk to eachother in NAT mode. Internet access only.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

I'm wondering which is more secure, NAT mode or Bridge mode with a L3 rule blocking access to the local LAN?

kYutobi
Kind of a big deal

@RobMcLean NAT mode by default blocks access to the LAN unless you change L3 rules. Just letting you know. 😏

Enthusiast

Plus, the first SSID on any network by default will block L3 Wireless > LAN traffic, create a new network and you'll see it 🙂

Thanks for all the replies.

 

I think I am going to go back to a bridge mode guest network , if for nothing else than a more seamless roaming, but I do want my management traffic completely separate.

 

Perhaps if the alternate management IP feature comes out of beta, there will be a way to keep them separate.

My home guest network is in bridge mode too, just on its own VLAN. This means guests that roam between APs keep the same IP address, unlike NAT mode. Was causing issues for iPhone VoWiFi for example

If you only have a single AP, and want to make things 'easy' then NAT mode should be fine. Otherwise I never recommend it. Always use bridge-mode, gives you far more control over things in the future when you didn't know you would need to, and the roaming issue that NAT introduces is a true killer.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
SMANNE
New here

How do we migrate wireless clients from Meraki DHCP(NAT Mode) to an internal DHCP server(Bridge Mode) seamlessly? Any Suggestions.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels