Anyway to set firewall rules for specific SSIDs?

AndreHCEA
Conversationalist

Anyway to set firewall rules for specific SSIDs?

We've got a few MX68Ws that have a different SSIDs for different purposes. One of them is meant for guest access. Is there anyway to block local LAN access on that SSID? Or is that only possible with an MR device?

8 Replies 8
AidanKamp
Meraki Employee
Meraki Employee

Yes - you can:

1. Set up a Group Policy per your needs for that Guest SSID. It sounds like you'd need outbound firewall rules that prevent access to RFC1918 ranges, which should do the job.

2. Assign the Guest SSID to a Guest VLAN, if one isn't already created
3. Assign the Group Policy to that VLAN

That should do the job!

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
AidanKamp
Meraki Employee
Meraki Employee

Or the other, perhaps more simple way is to create L3 Firewall Rules that block access from your Guest SSID VLAN to RFC1918 destinations.
I personally like the Group Policy method a bit better as it separates that VLAN's rules into a different window, but both methods work fine.

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
AndreHCEA
Conversationalist

Finally getting around to reading these over and testing some of these suggestions out (and hopefully finally closing these tabs!).

 

I'm giving your group policy method a go. Will report back when I have time to test!

Brash
Kind of a big deal
Kind of a big deal

One thing to be aware of is that Group Policy firewall rules apply in a single direction from the client going into the network.

This is typically fine for most use cases (such as a guest network) but something to be aware of nonetheless.

AndreHCEA
Conversationalist

This is a great shout, I noticed that while putting Aidan's suggestion together in a test network of mine. I think it'll be okay for our use case, but definitely worth knowing!

IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star

Hi @AndreHCEA ,

There's an App(Guide) for that!!. Jokes aside, VLANs are one of the best ways to implement security. Then Tag those SSIDs with said VLANs. 

e.g. 

 

 

SSID tagSSID tag


https://documentation.meraki.com/MX/Wireless/Creating_a_Wireless_Guest_VLAN_on_a_Z-series_Teleworker...







Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
AndreHCEA
Conversationalist

Thank you for sharing the guide for this, it was helpful in walking me through setting this up!

craigrb
New here

To assign an SSID to a VLAN with a specific IP range, you will have to config the SSID in bridge mode, not the default NAT mode. Tag the relevant APs with the correct VLAN ID, and make sure your trunked switch ports for those APs allow the new VLAN, too. That one tripped me up.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels