We have a single SSID for Public wifi access, and this has been deployed to Meraki access points at our branch locations. Each branch has its own separate DSL or cable modem for these to plug into, physically separate from our LAN. They're configured with Meraki NAT mode / dhcp.
We want to deploy public wifi at the main branch office now, but the issue is that we already have Meraki APs deployed for staff (secure) and guests that are not the general public, like vendors and whatnot. These APs are trunked and the networks are on different VLANs with security in place.
We want to add the Public SSID to our existing Merakis here at the main office. But we aren't sure whether or not we can bring in a separate ISP and VLAN it off, and still have the setup functional at the branches? Would we need a new SSID for that to happen?
Is just having Meraki NAT mode secure enough for this purpose? It is still on our native VLAN though... only separated by the Meraki AP. What are your thoughts?
I hope this makes sense, please let me know if I can clarify anything.
You can add an SSID for guest and use NAT mode if you like. I would recommend adding a firewall rule within the SSID to prevent that SSID from communicating with the rest of your network except out to the Internet.
That's all you need to do really.
I do have a question do you utilize an MX firewall at the main office today and also what is handling the routing at the office?
The setup may be a bit different at the main office compared to the remote sites. Meraki DHCP from Access points standard still allows the clients to communicate with LAN unless you specifically state to deny on the access rule. Please let me know some of the above questions and I can help a bit further.
We do not use an MX firewall, the routing is done through layer 3 switches and we have a firewall on the perimeter. I did add a deny rule to the LAN on the Meraki side, but these users are still technically on our local network?
What does your security policy requires?
By setting it up in SSID-based firewall, Meraki AP will prevent traffic moving to other network as you desired. Add in bandwidth limitations, there is no way for a guest client to connect to the main network and overload the bandwidth.
Even if you set up a guest VLAN, with client isolation, all guest user will have access to is the Internet.
I work as a security integrator and a number of times I get request for network segmentation and end user thinks that means separate equipment but separate VLAN with firewall rule is sufficient.
There was an audit comment last year that pointed out that we did not physically separate our wireless networks, and suggested we do so. We have accepted the 'risk' as an organization to use VLANs (I know...), but it is usually something that is brought up often.