Hi. We'd like to configure our guest wifi network to use a different public IP than our corp wifi and wired LAN. How can we achieve this? We're open to any and all suggestions.
We have a /29 from each of our dual ISPs, and a full stack of Meraki equipment: MX, MS, MR, and MV.
Thanks!
You can use your MX and assign WAN2 another public IP. Then create a VLAN and assign it's subnet to WAN2 via SD-WAN. From there you just use vlan tagging for the SSID you're going to create.
Just be aware that even if you use Flow Preferences to direct a VLAN out a particular WAN interface, you cannot stop the traffic from failing over to the other WAN interface in the event the assigned WAN goes down.
Thanks for the suggestions, I appreciate them. I should clarify.
We have dual WAN configured, but we don't necessarily want to route all guest wifi traffic to WAN 2, because if/when WAN 2 fails over to WAN 1, we'd be where we started, as mentioned. We want to use a different IP than the IP configured for either WAN.
For example, if our primary ISP subnet is x.x.x.120/29, gateway x.x.x.121, and we have WAN 1 set to x.x.x.122, we'd like to send guest wifi traffic out on x.x.x.123.
I'm beginning to realize this will require a separate MX, because it looks like our MX100 is limited to two WAN ports (please correct me if I'm wrong there) and I can't find an acceptable way to NAT our guest wifi VLAN to x.x.x.123.
If we get an MX64 to handle guest wifi VLAN, can we leave our exiting MR physical connections in place and just static route the guest wifi VLAN to the MX64? Or would the MRs with the guest SSID need to be physically connected to the MX64?
Thanks again.
Right, so you can't do a source NAT on an MX making your ask of NAT'ing $guests to an IP not assigned to the MX interface impossible.
You are correct in that the MX100 (and all MX's for that matter) only have two WAN ports maximum.
I think you could do something like what you're asking with a third MX, but can you elaborate a bit there? How are you thinking of physically connecting them? You could just have the second MX as the gateway for the VLAN, but make sure you disable DHCP for the first MX on the VLAN (if I'm understanding you correctly).
We don't run MX, we run a competitor's firewall, but the way I do it is just have a different NAT rule for the public wireless on my firewall than for other VLANs in my network. In addition the public wifi is layer 2 on the inside zone and the gateway address for the subnet is a subinterface on the firewall. I have the luxury of having a /24 on the outside but you should be able to do it with a /29 also if you have at least 1 free IP.
Hey, it's been 3+ years since the last post. Has anything changed in Meraki and now we're finally able to use different IP addresses for Guest WiFi?