- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyway to set firewall rules for specific SSIDs?
We've got a few MX68Ws that have a different SSIDs for different purposes. One of them is meant for guest access. Is there anyway to block local LAN access on that SSID? Or is that only possible with an MR device?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes - you can:
1. Set up a Group Policy per your needs for that Guest SSID. It sounds like you'd need outbound firewall rules that prevent access to RFC1918 ranges, which should do the job.
2. Assign the Guest SSID to a Guest VLAN, if one isn't already created
3. Assign the Group Policy to that VLAN
That should do the job!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or the other, perhaps more simple way is to create L3 Firewall Rules that block access from your Guest SSID VLAN to RFC1918 destinations.
I personally like the Group Policy method a bit better as it separates that VLAN's rules into a different window, but both methods work fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally getting around to reading these over and testing some of these suggestions out (and hopefully finally closing these tabs!).
I'm giving your group policy method a go. Will report back when I have time to test!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One thing to be aware of is that Group Policy firewall rules apply in a single direction from the client going into the network.
This is typically fine for most use cases (such as a guest network) but something to be aware of nonetheless.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a great shout, I noticed that while putting Aidan's suggestion together in a test network of mine. I think it'll be okay for our use case, but definitely worth knowing!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AndreHCEA ,
There's an App(Guide) for that!!. Jokes aside, VLANs are one of the best ways to implement security. Then Tag those SSIDs with said VLANs.
e.g.
Cheers,
Ivan Jukić,
Meraki APJC
If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for sharing the guide for this, it was helpful in walking me through setting this up!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To assign an SSID to a VLAN with a specific IP range, you will have to config the SSID in bridge mode, not the default NAT mode. Tag the relevant APs with the correct VLAN ID, and make sure your trunked switch ports for those APs allow the new VLAN, too. That one tripped me up.
