Content Filtering

Solved
Steve-Potter
Getting noticed

Content Filtering

We have a strict network policy with quite a bit of filtering enabled, no personal devices within the building except the lunch room and outside on breaks

Firewall - both Layer 7 rules and content filtering for social network, any file transfer, external storage systems email etc.

This is suitable for our normal staff using the LAN and internal wireless networks which access the LAN, some AD group policies for overrides etc which works well.

We have a staff WiFi which cannot access the LAN, but we want open access to the Internet, the staff can use any personal device such as phone, tablet or laptop and we don't want to have to use MDM

I can add layer 7 rules but not override the firewall ones, and the content is still filtered even though the option to filter content is switched off on the access page of the WiFi configuration.

Any ideas how I can accomplish this?

 

 

1 Accepted Solution
Steve-Potter
Getting noticed

Hi and thanks for your reply.

I am restarting this thread up again, as I still have the same issue, and have tested a few more scenarios

 

default vlan 1 for all infrastructure, mx64 dhcp

Lan on vlan10 dhcp via windows server

 

wireless ssid 1 , L3 roaming, access to lan and internet

    filtered by the normal content filter, can be overridden by group policy

wireless ssid 2, Meraki DHCP, no access to lan, access to internet

    filtered by the normal content filter, cannot be overridden by group policy OR client whitelisting.

 

I have tried windows laptop and android clients, same effect, it seems that the Meraki DHCP ssid which is perfect for our staff to use their personal phones, where they have no access to the LAN or each other but would like unfettered access to internet. Unfortunately the content filter is always applied.

The content filter is used on the LAN and other SSID's with L3 roaming to restrict approved devices (i.e. non personal phones) yet I can apply whitelisting or group policies on various clients which can easily bypass the content filter.

 

 

However, I think I found the answer

Created a new VLAN with group policy attached to override the content filter

Created a new staff SSID, used L3 Roaming, tagged to the VLAN and denied access to LAN

 

seems to have fixed it.

 

Steve

 

 

 

View solution in original post

7 Replies 7
WadeAlsup
A model citizen

Hi @Steve-Potter

 

I had a similar issue that I ran into a while back. It turned out that the content filtering was still being applied to the access point itself. I created a Group Policy with a content filtering override and applied that to the management vlan that the access points fell into. You might check there? 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
Adam
Kind of a big deal

I haven't tested this, but under Wireless>Access Control.  Then select your SSID.  There is a section for Content Filtering that may give you the settings you need?  I think you can opt out of Content Filtering or use Custom DNS.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Steve-Potter
Getting noticed

Yes I have seen that, and despite it having the same label "Content Filtering" its is I think a different animal

I have tried a few settings but not had any success bypassing the MX content filtering JUST for clients of 1 SSID

Steve

 

 

Adam
Kind of a big deal

Sorry I'm having trouble fully understanding your topology and goal in this request.

 

Are you using the Meraki DHCP for this public SSID?  And do you have Wireless>Firewall & Traffic Shaping rule for that SSID set to Deny Any Local LAN?  If those above two options are set then it shouldn't really matter what Vlan you are on unless you are trying to do any kind of special routing to send it out a different path.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Steve-Potter
Getting noticed

Hi and thanks for your reply.

I am restarting this thread up again, as I still have the same issue, and have tested a few more scenarios

 

default vlan 1 for all infrastructure, mx64 dhcp

Lan on vlan10 dhcp via windows server

 

wireless ssid 1 , L3 roaming, access to lan and internet

    filtered by the normal content filter, can be overridden by group policy

wireless ssid 2, Meraki DHCP, no access to lan, access to internet

    filtered by the normal content filter, cannot be overridden by group policy OR client whitelisting.

 

I have tried windows laptop and android clients, same effect, it seems that the Meraki DHCP ssid which is perfect for our staff to use their personal phones, where they have no access to the LAN or each other but would like unfettered access to internet. Unfortunately the content filter is always applied.

The content filter is used on the LAN and other SSID's with L3 roaming to restrict approved devices (i.e. non personal phones) yet I can apply whitelisting or group policies on various clients which can easily bypass the content filter.

 

 

However, I think I found the answer

Created a new VLAN with group policy attached to override the content filter

Created a new staff SSID, used L3 Roaming, tagged to the VLAN and denied access to LAN

 

seems to have fixed it.

 

Steve

 

 

 

Red-Five
Here to help

It's 2021 and this seems to be the same issue I'm fighting.  I have a ticket open to discuss with Meraki, now to clarify that the MX Content filter is indeed being applied to the MR WAP itself, preventing my group policy with relaxed content settings from having any affect on my wireless clients.

If I follow your found fix, the only thing missing from the original config is the new SSID no longer prevents clients from seeing each other as it did when it was the Meraki NAT mode.  Is that correct?

Steve-Potter
Getting noticed

I like that idea, not sure how to apply a GP to the management vlan though, all our infrastructure is on the same default vlan, the data/phone and cctv vlans are separate though

 

Get notified when there are additional replies to this discussion.