Meraki

Community

Configuring Rules for Meraki GUEST Network (Internet-Only Access)

MauroF
Building a reputation
‎Apr 22 2025 6:43 AM
‎Apr 22 2025 6:43 AM

Configuring Rules for Meraki GUEST Network (Internet-Only Access)

Question: If I want users on a Meraki GUEST (SSID) network to access only the internet:
 
1) where should I configure the rules? Under the Wireless section or the Security & SD-WAN section?
2) Is there a priority of rules?
3) what happens if i configured the SSID to deny traffic towards LAN but in the firewall rules there is an Allow Guest-->Any? 
 
Thanks in advance
 
MauroF_0-1745329232517.png

 

Labels:
0 Kudos
2 Replies 2
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 22 2025 6:52 AM
‎Apr 22 2025 6:52 AM

1) It depends on how you want to set it up. If I'm NATing my guest traffic to the AP, I set up the rules on the APs. If I'm dropping off to VLAN I setup the rules in a Group Policy on my MX associated to that VLAN. 

2) Wireless would be processed first then MX rules if you had both.

3) As wireless is processed first that would block traffic to any RFC1918 subnets.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 22 2025 6:52 AM
‎Apr 22 2025 6:52 AM

Hi ,

 

Deny LAN won't deny access to the Internet. If you have a MX and MR , I would put the rules on the MX.

 

1- Deny LAN on the MR 

2- Deny RFC1918 on the MX 

3- Allow "internet" on the MX 

 

That is how we have our Guest SSID configured.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.