Recently, we've upgraded to Meraki MR46 Access points. With it, one of our SSIDs was configured for staff to user their username/password combinations to connect to the network via a RADIUS server. However, we also want to limit what these users can see/access for servers on the network. They only need to see our print server and our internal website.
So we enabled Layer 3 firewall rules to allow access to these two server and then set the rest of the local LAN to be blocked. Despite the allows, staff cannot access the pages via FQDN, only by IP address. We added the DHCP and DNS servers to the allow list, but continue to get hit with DNS not working while the layer 3 firewall rules are in effect. I can see that DHCP is assigning DNS servers along with the IP address, but DNS is still failing to allow access to internal content. (for example: the internal website is located at 192.168.1.42/24. It can be pinged by IP address, but when users visit http://universe.everything.local, they get a name not resolved error).
The firewall rules don't have an option for FQDNs, only IPs. I have tried changing layer 2 isolation off and back on without any change in behavior. The only thing that seems to work while on DHCP is to allow all local LAN access, which we are trying to avoid. If we us static assignment, it seems to work.
Could you try with this rule
Allow any any port 53
Once I set the protocol to Any, setting a port becomes greyed out. Both our DNS and DHCP additions are also set the same way with protocol and port showing "Any"
I added "Allow TCP Any 53" and "Allow UDP Any 53" to see if that makes a difference. Unfortunately, it did not.
Are you block rules after the allow rules in the screenshot?
Correct. All the allows are set first, leaving the only block being for the local LAN for wireless clients.
Are you using any DNS services like Umbrella?
Only our internal DNS server run through Windows.
Does a manual nslookup work?
I've been mainly testing with Android since that is the majority of our user base's devices. Using PingTools, i get 0 records received out of 38 queries.
I setup a new Windows machine to test and it works on Windows. If I can get my hands on a macOS or iOS to test, I will try them, but for now, it seems to be isolated to Android devices.