Guest wifi on different public IP address?

Bodefosho
Conversationalist

Guest wifi on different public IP address?

Hi.  We'd like to configure our guest wifi network to use a different public IP than our corp wifi and wired LAN.  How can we achieve this? We're open to any and all suggestions. 

 

We have a /29 from each of our dual ISPs, and a full stack of Meraki equipment: MX, MS, MR, and MV. 

 

Thanks! 

9 Replies 9
kYutobi
Kind of a big deal

You can use your MX and assign WAN2 another public IP. Then create a VLAN and assign it's subnet to WAN2 via SD-WAN. From there you just use vlan tagging for the SSID you're going to create.

Enthusiast
KRobert
Head in the Cloud

You can definitely do what @kYutobi is suggesting. We like to keep our Guest network separate from our primary equipment so we use a separate MX65 for all Guest traffic.
CMNO, CCNA R+S
jdsilva
Kind of a big deal

Just be aware that even if you use Flow Preferences to direct a VLAN out a particular WAN interface, you cannot stop the traffic from failing over to the other WAN interface in the event the assigned WAN goes down. 

KRobert
Head in the Cloud

Good point @jdsilva. I'd say the best option is to add an MX65 at the very least followed by a MX67 or MX68. If you need it to be a rack mounted option, you could even do an MX84, but I wouldn't go beyond that.

Another rack mount alternative for MX64-68 are from the company RackMount.IT - https://www.rackmount.it/vendors/cisco.html
CMNO, CCNA R+S
Bodefosho
Conversationalist

Thanks for the suggestions, I appreciate them.  I should clarify. 

 

We have dual WAN configured, but we don't necessarily want to route all guest wifi traffic to WAN 2, because if/when WAN 2 fails over to WAN 1, we'd be where we started, as mentioned.  We want to use a different IP than the IP configured for either WAN. 

 

For example, if our primary ISP subnet is x.x.x.120/29, gateway x.x.x.121, and we have WAN 1 set to x.x.x.122, we'd like to send guest wifi traffic out on x.x.x.123.

 

I'm beginning to realize this will require a separate MX, because it looks like our MX100 is limited to two WAN ports (please correct me if I'm wrong there) and I can't find an acceptable way to NAT our guest wifi VLAN to x.x.x.123. 

 

If we get an MX64 to handle guest wifi VLAN, can we leave our exiting MR physical connections in place and just static route the guest wifi VLAN to the MX64?  Or would the MRs with the guest SSID need to be physically connected to the MX64? 

 

Thanks again. 

jdsilva
Kind of a big deal

Right, so you can't do a source NAT on an MX making your ask of NAT'ing $guests to an IP not assigned to the MX interface impossible. 

 

You are correct in that the MX100 (and all MX's for that matter) only have two WAN ports maximum.

 

I think you could do something like what you're asking with a third MX, but can you elaborate a bit there? How are you thinking of physically connecting them? You could just have the second MX as the gateway for the VLAN, but make sure you disable DHCP for the first MX on the VLAN (if I'm understanding you correctly).

Brons2
Building a reputation

We don't run MX, we run a competitor's firewall, but the way I do it is just have a different NAT rule for the public wireless on my firewall than for other VLANs in my network.  In addition the public wifi is layer 2 on the inside zone and the gateway address for the subnet is a subinterface on the firewall.  I have the luxury of having a /24 on the outside but you should be able to do it with a /29 also if you have at least 1 free IP.

pigeons
Conversationalist

Hey, it's been 3+ years since the last post. Has anything changed in Meraki and now we're finally able to use different IP addresses for Guest WiFi? 

STL
Conversationalist

We also need this "feature" for the same scenario, sadly I can't find any solution with Meraki MX. On Cisco ASA this is a basic NAT command and not such a special think, don't understand why MX is not able to do this. 😞

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels