Meraki

Community

MR Firewall Rules for One SSID

Nembrey3
Here to help
‎May 2 2019 10:45 AM
‎May 2 2019 10:45 AM

MR Firewall Rules for One SSID

Wondering if anyone could help out with a scenario we are running into. In the past we have been using a Guest network with a PSK and then registering Guests and manually setting expiration times. This worked fine until now as there are only a couple of us managing a much larger scale solution now and the other group that was helping us no longer wants to play. 

 

we have the blessing from our Information Security team to use a SSID with a PSK and a Click through splash page with some legal jargon. Beyond that, they want us to lock down the SSID as much as possible to the point that only ports 80 and 433 would be open as our guests shouldn't need to be doing much beyond that on this SSID. If other uses cases do come up then we can alter it, but for the time being this is what we are running with.

 

I imagined that the rules would have looked something like this, but its not working as intended. Support said probably because the Deny Any/Any rule isn't allowing DNS. Anyone have any recommnedations?

 

# Policy    Protocol          Destination    Port    Comment

1 Allow    TCP                 Any              80

2 Allow    TCP                 Any              443

3 Deny     Any                  Any             Any

4 Any       Local LAN      Any             Any        Wireless clients accessing LAN

5 Allow    Any                  Any             Any        Default rule

0 Kudos
4 Replies 4
kYutobi
Kind of a big deal
‎May 2 2019 11:19 AM
‎May 2 2019 11:19 AM

Why not just use Meraki DHCP. It doesn't talk to the LAN side unless you allow.

 

Capture.PNG

Enthusiast
0 Kudos
In response to kYutobi
Nembrey3
Here to help
‎May 2 2019 11:30 AM
‎May 2 2019 11:30 AM

We have discussed that as well, but maybe I did not express the concern very well.

 

Their concern is around a Visitor using our Wi-Fi to do something malicious while onsite not only to our internal assets, but they want to try and regulate our Wi-Fi being used to do something externally. Obviously things can and will happen but they would like visitors to only have access to Ports 80 and 443 and nothing else.

0 Kudos
In response to Nembrey3
ww
Kind of a big deal
Kind of a big deal
‎May 2 2019 11:35 AM
‎May 2 2019 11:35 AM

does it work when you add bootp and dns Ports to your dhcp and dns servers 

In response to Nembrey3
kYutobi
Kind of a big deal
‎May 2 2019 11:49 AM
‎May 2 2019 11:49 AM

@Nembrey3  I apologize. You can also control what is accessed through "Firewall and traffic shaping" to control bandwidth and even do Layer 7 rules. i.e deny Social media, Proxy, etc.   

Enthusiast
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.