Hi i setup a simple guest network for internet acccess only
its getting an ip from the meraki dhcp or 10.x.x.x. /8
however when i connect to this network. I can't get to my exchange or owa (myoutlook.mycompany.com)
its an onprem exchange server. with lan ip of 10.103.145.90
the public facing ip 62.132.250.x
currently for the Guest Ssid i have a firewall rule that deny === any ===== local lan=====any
I think the meraki is seeing the 10.x.x.x as on the local lan and blocking it..
why wouldn't it just see the public ip and route it thru
is there a way to make this work other than allowing the guest network access to my internal lan?
can i put a specific meraki firewall rule allowing the internal ip of exchange server.?
will the deny any overide that rule?
thanks
Solved! Go to solution.
If i connect to the Guest SSID and ipconfig /all
it looks like its the dns server points to 10.128.128.128
The ap has 2 SSID
1. internal (bridge mode)
2. guest (nat mode)
only the internal SSID is pointing to an internal Dns server
@mogulsurf wrote:If i connect to the Guest SSID and ipconfig /all
it looks like its the dns server points to 10.128.128.128
The ap has 2 SSID
1. internal (bridge mode)
2. guest (nat mode)
only the internal SSID is pointing to an internal Dns server
Yup. So the AP will act as the gateway/DNS/DHCP etc. from the clients perspective. But in reality, he is acting as a proxy. So whatever DNS the actual AP gets assigned (say from your windows domain server for example) is what it will use to do DNS resolutions.
For this reason, I tend to make it a habit that my access points always get assigned public DNS. They need it to reach the internet, and also for guest SSID like you just experienced. Plus I like to think that it adds an extra layer of security, as I don't want any internal DNS servers to accidentally get exposed for some unknown reason.
The easy way to overcome it is to use custom DNS as I mentioned previously. Downside to this is you kind of lose that 'free feature' of blocking adult content option, but oh well.
changing the DNS worked...thanks