We have a strict network policy with quite a bit of filtering enabled, no personal devices within the building except the lunch room and outside on breaks
Firewall - both Layer 7 rules and content filtering for social network, any file transfer, external storage systems email etc.
This is suitable for our normal staff using the LAN and internal wireless networks which access the LAN, some AD group policies for overrides etc which works well.
We have a staff WiFi which cannot access the LAN, but we want open access to the Internet, the staff can use any personal device such as phone, tablet or laptop and we don't want to have to use MDM
I can add layer 7 rules but not override the firewall ones, and the content is still filtered even though the option to filter content is switched off on the access page of the WiFi configuration.
Any ideas how I can accomplish this?
Solved! Go to solution.
Hi and thanks for your reply.
I am restarting this thread up again, as I still have the same issue, and have tested a few more scenarios
default vlan 1 for all infrastructure, mx64 dhcp
Lan on vlan10 dhcp via windows server
wireless ssid 1 , L3 roaming, access to lan and internet
filtered by the normal content filter, can be overridden by group policy
wireless ssid 2, Meraki DHCP, no access to lan, access to internet
filtered by the normal content filter, cannot be overridden by group policy OR client whitelisting.
I have tried windows laptop and android clients, same effect, it seems that the Meraki DHCP ssid which is perfect for our staff to use their personal phones, where they have no access to the LAN or each other but would like unfettered access to internet. Unfortunately the content filter is always applied.
The content filter is used on the LAN and other SSID's with L3 roaming to restrict approved devices (i.e. non personal phones) yet I can apply whitelisting or group policies on various clients which can easily bypass the content filter.
However, I think I found the answer
Created a new VLAN with group policy attached to override the content filter
Created a new staff SSID, used L3 Roaming, tagged to the VLAN and denied access to LAN
seems to have fixed it.
Steve
Hi @Steve-Potter,
I had a similar issue that I ran into a while back. It turned out that the content filtering was still being applied to the access point itself. I created a Group Policy with a content filtering override and applied that to the management vlan that the access points fell into. You might check there?
I haven't tested this, but under Wireless>Access Control. Then select your SSID. There is a section for Content Filtering that may give you the settings you need? I think you can opt out of Content Filtering or use Custom DNS.
Yes I have seen that, and despite it having the same label "Content Filtering" its is I think a different animal
I have tried a few settings but not had any success bypassing the MX content filtering JUST for clients of 1 SSID
Steve
Sorry I'm having trouble fully understanding your topology and goal in this request.
Are you using the Meraki DHCP for this public SSID? And do you have Wireless>Firewall & Traffic Shaping rule for that SSID set to Deny Any Local LAN? If those above two options are set then it shouldn't really matter what Vlan you are on unless you are trying to do any kind of special routing to send it out a different path.
Hi and thanks for your reply.
I am restarting this thread up again, as I still have the same issue, and have tested a few more scenarios
default vlan 1 for all infrastructure, mx64 dhcp
Lan on vlan10 dhcp via windows server
wireless ssid 1 , L3 roaming, access to lan and internet
filtered by the normal content filter, can be overridden by group policy
wireless ssid 2, Meraki DHCP, no access to lan, access to internet
filtered by the normal content filter, cannot be overridden by group policy OR client whitelisting.
I have tried windows laptop and android clients, same effect, it seems that the Meraki DHCP ssid which is perfect for our staff to use their personal phones, where they have no access to the LAN or each other but would like unfettered access to internet. Unfortunately the content filter is always applied.
The content filter is used on the LAN and other SSID's with L3 roaming to restrict approved devices (i.e. non personal phones) yet I can apply whitelisting or group policies on various clients which can easily bypass the content filter.
However, I think I found the answer
Created a new VLAN with group policy attached to override the content filter
Created a new staff SSID, used L3 Roaming, tagged to the VLAN and denied access to LAN
seems to have fixed it.
Steve
It's 2021 and this seems to be the same issue I'm fighting. I have a ticket open to discuss with Meraki, now to clarify that the MX Content filter is indeed being applied to the MR WAP itself, preventing my group policy with relaxed content settings from having any affect on my wireless clients.
If I follow your found fix, the only thing missing from the original config is the new SSID no longer prevents clients from seeing each other as it did when it was the Meraki NAT mode. Is that correct?
I like that idea, not sure how to apply a GP to the management vlan though, all our infrastructure is on the same default vlan, the data/phone and cctv vlans are separate though