Meraki

Community

MR57 WiFi clients on bridged SSID can't access local LAN

Solved
haznix
Here to help
2 weeks ago
2 weeks ago

MR57 WiFi clients on bridged SSID can't access local LAN

I have an internet gateway, with its own WiFi, running a DHCP server. I connected my MR57 to one of the ethernet ports and setup a 6GHz-only SSID in bridge mode. I connect my clients to the SSID and they get a DHCP address from the server on the gateway. I can access the internet from devices connected to this SSID. I have other devices connecting to the WiFi on the internet gateway as well. I am unable to ping the devices on this network. I can't even get a response back to the ping on the MR57's IP address on this network.

 

Topology:

----------

Internet Gateway (192.168.1.1) === ethernet === MR57 (192.168.1.5)

           ||                                                                             || 

        (WiFi)                                                                         ||

PC 1 (192.168.1.51)                                                        (WiFi)

                                                                              PC 2 (192.168.1.130)

 

When I try to ping 192.168.1.1, from PC2 I get a Request timeout. When I try to ping PC 1 the same, even for MR57. 

 

I have tried switching to NAT mode and enabling the Firewall rule to Allow Local LAN from Wireless clients. I switched back to bridged mode and it still doesn't work. I like to use RDP to manage PC1 but that bails out too. Needless to say it all works fine when I connect to the WiFi on the Internet Gateway.

 

haznix_0-1746248644533.png

 

As of this writing the firmware version on the MR57 is  MR 31.1.7, its connected to an AC power source.

 

If my SSID is bridged to the Local LAN shouldn't the wireless clients be able to see the other devices on the network? What am I missing? 

 

Update 1: Adding pictures of SSIDs summary page.

 

MySSID 1 configured in NAT mode

 

haznix_0-1746298050330.png

 

MySSID 2 configured in Bridge mode, notice how it says No on the 3rd line from the bottom where it says yes for Wired clients are part of Wi-Fi network in the picture above.

haznix_1-1746298240247.png

 

 


Thanks for reading. 

Labels:
0 Kudos
1 Accepted Solution
In response to haznix
haznix
Here to help
2 weeks ago
2 weeks ago

TLDR; issue was caused by macOS's MAC address randomization for each different SSID on the same network.

 

The ARP cache on the macbook and MR57 and Gateway had duplicate entries. The macbook had saved a previous SSID with a randomized MAC address and new IP addresses were getting assigned to the same MAC address while the ARP cache had an old IP address for the same MAC address.

 

The fix? Changed the setting on the macbook to turn on MAC address randomization, delete the known networks and reboot all 3 devices. 

Thank you for your feedback folks. I hope this helps someone someday, so I updated this thread for posterity. 

 

 

View solution in original post

13 Replies 13
Purroy
Meraki Employee
Meraki Employee
2 weeks ago
2 weeks ago

Hello,

 

Have you tried to enable the setting that indicates which SSID a client connected to the LAN of a Mesh AP connects to?


This is done under Network Wide > Configure > General page.

 

In there you will find Clients wired directly into Meraki access point:

 

Purroy_1-1746259834639.png

 

0 Kudos
In response to Purroy
haznix
Here to help
2 weeks ago
2 weeks ago

Hi Purroy,

 

Yes, that's what I thought about as well, changing this setting made no difference.

 

I would like to point out, I have a MR56 and MR44 in another network in my org and it doesn't seem to be a problem on that network. Not sure if it is relevant but I have a MX in parallel to the MR. There is nothing connected to it downstream, but its uplink is connected to an ethernet port on the same internet gateway.

0 Kudos
haznix
Here to help
2 weeks ago
2 weeks ago

I updated the original posted with pictures from the Wireless -> Configure -> SSID page where I noticed how it differentiates between two SSIDs configured in the same way with exception of WPA selection.

0 Kudos
MauroF
Building a reputation
2 weeks ago
2 weeks ago

Disable the application firewall installed in the PC or check the traffic shaping in the wireless setting if you have a "deny any LAN" in the rules.

0 Kudos
In response to MauroF
haznix
Here to help
2 weeks ago
2 weeks ago

So it's not just the PC, I can't even ping the MR57's ip or the main gateway running the DHCP server. I did set the Deny to Allow. I have tried NAT mode with allow as well and still no bueno. Thank you for the suggestion. At this point I feel this might be a firmware bug. My gateway router is a Comcast XB7 device, and when I connect to it's built-in WiFi everything works as expected.

0 Kudos
alemabrahao
Kind of a big deal
2 weeks ago
2 weeks ago

Can you share a screenshot of Wireless > Configure > Firewall & Traffic Shaping please?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
haznix
Here to help
2 weeks ago
2 weeks ago

Sure, here you go.

haznix_0-1746466050688.png

haznix_1-1746466071994.png

 

0 Kudos
In response to haznix
alemabrahao
Kind of a big deal
2 weeks ago
2 weeks ago

I don't see any problem with your setup, so what I suggest is that you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
haznix
Here to help
2 weeks ago
2 weeks ago

I am planning to do so, I think its a bug in the MR57 firmware. A MR56 and MR44 in the same org with similar config don't have this problem. Enabling disabling L2 isolaiton made no difference. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Is client isolation enabled?

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

 

0 Kudos
In response to PhilipDAth
haznix
Here to help
2 weeks ago
2 weeks ago

No it's disabled. I have a MR56 and MR44 in my org on a separate network with similar config and I can ping local LAN clients just fine. This seems to be MR57 specific. 

0 Kudos
haznix
Here to help
2 weeks ago
2 weeks ago

I think I figured it out the cause. My macbook's interface has an IP address of 192.168.192.113 but for whatever reason on the MR it's coming up at 192.168.192.34. I did a packet capture on the MR's wired interface with a ping going. 

 

haznix_0-1746508222994.png

 

Notice the destination in the packet capture.

haznix_1-1746508301741.png

 

When I checked the ARP table in Tools section I see the following. What I don't understand is, then how is all the other traffic properly working but only the local traffic getting directed to the wrong/non-existant IP address?

haznix_2-1746508479096.png

 

 

0 Kudos
In response to haznix
haznix
Here to help
2 weeks ago
2 weeks ago

TLDR; issue was caused by macOS's MAC address randomization for each different SSID on the same network.

 

The ARP cache on the macbook and MR57 and Gateway had duplicate entries. The macbook had saved a previous SSID with a randomized MAC address and new IP addresses were getting assigned to the same MAC address while the ARP cache had an old IP address for the same MAC address.

 

The fix? Changed the setting on the macbook to turn on MAC address randomization, delete the known networks and reboot all 3 devices. 

Thank you for your feedback folks. I hope this helps someone someday, so I updated this thread for posterity. 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.