Meraki

MXanderson · ‎Apr 15 2019

The guest/Meraki DHCP SSID (10.0.0.0/8) is caching internal DNS entries. Laptops inside the LAN that are using the guest SSID that has the setting "clients being blocked from using LAN" are still trying to resolve DNS internal IP addresses.

I want these websites that do have internal DNS records to actually resolve externally to DNS on public addresses. I have tried ipconfig /flushdns, and have tried assigning content filtering to external DNS. I have also created a new SSID with the deny any Local LAN traffic turned on before it has the chance to cache internal DNS records.

Currently the only way I have found to fix the webpages that are trying to resolve internally is allow the internal DNS names and ports into the Layer 3 firewall rules on SSID settings. This is a tedious task for each webpage/DNS entry to put both 80/443. The other problem is larger external webpages like portal.office.com that resolve to Single sign on need alot of ports allowed through at the Layer 3 firewall rules. Is there an easier way to do this, and am I using the best method for not allowing guest network. Thanks in advance for the input.

Mike Anderson

NolanHerring · ‎Apr 15 2019

I'm not seeing how the client on the guest can obtain anything internal if your blocking it. If you have DENY LOCAL LAN enabled, then they should not be getting anything internal at all.

What DNS is your AP pulling?

Do the laptops have any custom host files in place?

Nolan Herring | nolanwifi.com

MXanderson · ‎Apr 15 2019

The DNS server is the default 10.128.128.128 from client perspective, but the website which is inside lan has private IP address. It should be resolving to the public IP externally but it's trying to resolve internal. There is not custom host file.

PhilipDAth · ‎Apr 15 2019

>The DNS server is the default 10.128.128.128 from client perspective

That is what clients get - no need to change that. That request goes to the AP.

Change the DNS servers being used by the AP to external DNS servers and the users DNS queries will also go externally (via AP DNS proxy).

NolanHerring · ‎Apr 15 2019

I agree with you @PhilipDAth , although I'm curious now that I'm thinking about it. Having never used the feature, but original poster mentioned that he :

and have tried assigning content filtering to external DNS

Would that achieve the same thing as having the DNS that the access points use?

Always thought it would but never validated it.

Nolan Herring | nolanwifi.com

MXanderson · ‎Apr 16 2019

I changed the DNS to google servers for resolution on the AP lan interface. That did make the it so nslookup would see the external IP address for the sites I was trying. When I used web browser it would not resolve the websites though.

NolanHerring · ‎Apr 16 2019

Try incognito mode
Also do a traceroute to the site your trying to reach (try internal and external to see where each path goes). Its possible because its also available via a private IP that there is something down the path routing wise that is forcing traffic destined for that site to go a specific way.

Nolan Herring | nolanwifi.com

jdsilva · ‎Apr 15 2019

Hey @MXanderson ,

From the sounds of things you've outgrown the Meraki DHCP SSID use cases and you should consider transitioning to a Guest SSID that bridges into a Guest VLAN. If you're "big" enough, and savvy enough to be running your own internal DNS servers then I think you would benefit greatly from shifting your guest wifi solution to one more scalable and flexible.

http://blog.brokennetwork.ca |

@jdsilva

PhilipDAth · ‎Apr 15 2019

Change the DNS settings on your APs to using external public DNS servers instead of your internal DNS servers.

Meraki

Community

Meraki DHCP DNS caching

Meraki DHCP DNS caching