Meraki

Community

Anyway to set firewall rules for specific SSIDs?

AndreHCEA
Just browsing
2 weeks ago
2 weeks ago

Anyway to set firewall rules for specific SSIDs?

We've got a few MX68Ws that have a different SSIDs for different purposes. One of them is meant for guest access. Is there anyway to block local LAN access on that SSID? Or is that only possible with an MR device?

0 Kudos
4 Replies 4
AidanKamp
Meraki Employee
Meraki Employee
2 weeks ago
2 weeks ago

Yes - you can:

1. Set up a Group Policy per your needs for that Guest SSID. It sounds like you'd need outbound firewall rules that prevent access to RFC1918 ranges, which should do the job.

2. Assign the Guest SSID to a Guest VLAN, if one isn't already created
3. Assign the Group Policy to that VLAN

That should do the job!

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
In response to AidanKamp
AidanKamp
Meraki Employee
Meraki Employee
2 weeks ago
2 weeks ago

Or the other, perhaps more simple way is to create L3 Firewall Rules that block access from your Guest SSID VLAN to RFC1918 destinations.
I personally like the Group Policy method a bit better as it separates that VLAN's rules into a different window, but both methods work fine.

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
Brash
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

One thing to be aware of is that Group Policy firewall rules apply in a single direction from the client going into the network.

This is typically fine for most use cases (such as a guest network) but something to be aware of nonetheless.

IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
2 weeks ago
2 weeks ago

Hi @AndreHCEA ,

There's an App(Guide) for that!!. Jokes aside, VLANs are one of the best ways to implement security. Then Tag those SSIDs with said VLANs. 

e.g. 

 

 

SSID tagSSID tag


https://documentation.meraki.com/MX/Wireless/Creating_a_Wireless_Guest_VLAN_on_a_Z-series_Teleworker...







Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.