Guest Wifi

mags1892
Here to help

Guest Wifi

I need to create a guest wifi which has no access to other users on the same ssid, however i cant use the ip range the meraki mx suggests ( 10.0.0.0/8 ). Has anyone any pointers on the best way to acheive this ? It should be easy but is proving otherwise . 

6 Replies 6
Brash
Kind of a big deal
Kind of a big deal

You can add firewall rules on the SSID to block all private RFC 1918 subnets (10.0.0.0/8, 192.68.0.0/16 etc) and allow everything else 

ww
Kind of a big deal
Kind of a big deal

The 10.x.x.x is just local to that ap when using nat mode. Traffic is natted to the ap management ip.

 

For bridge mode use the L2 client isolation and L3 block local lan

D_Tak
Meraki Employee
Meraki Employee

Is the wireless built into the MX or are you using MR APs? 

 

If using MR APs to configure/broadcast the SSID setting the configuration to NAT mode using the 10.0.0.0/8 by default will segregate the traffic for the clients and isolate the clients so that they cannot communicate with one another. An additional recommendation to keep it a true guest network is to also modify/ensure that on the Wireless > Firewall settings for the SSID the rule to allow local LAN traffic is set to Deny. If you have to use bridge mode the L2 client isolation feature and block local lan firewall can be used as well but you would need to allow several things such as the gateway ip, DNS server ip if they are local, or anything else that may prevent the client device from reaching internet or resources they should have access to. 

 

The MX configuration would differ a bit as you would need to allow specific addresses (gateway, DNS, printers, etc) for things that guests would need access to and then deny everything else so it becomes a bit more involved but still doable. 

mags1892
Here to help

We are using MR aps and an MX100 , however our other office wants us to use specific ip ranges for guest wifi  

D_Tak
Meraki Employee
Meraki Employee

So yes in this case you would need to use bridge mode and enable the L2 LAN isolation feature and put in the firewall rules to allow/deny on the Wireless > Firewall page to allow certain traffic such as DHCP/DNS/Gateway access and then deny the rest. 

 

Mor information on the feature and its setup can be found here.

mags1892
Here to help

In this case then we wold need a dhcp server as the mx wont be supplying it ! or would we use a vlan and set it that way ?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels