Meraki

Community

Meraki firewall on SSID not working

CarlT
Here to help
‎Jul 22 2025 12:23 AM
‎Jul 22 2025 12:23 AM

Meraki firewall on SSID not working

Hi All

We are having some issues with some MR42s, basically we have a Guest network and its using the AP in NAT mode, we can ping devices on our LAN for some reason, even though there is a deny rule on the SSID blocking them to reach local networks, we have added a rule also, however it appears to have no effect. They are on MR 30.7.1

Any ideas why this would be?

 

0 Kudos
7 Replies 7
nicdc01
Getting noticed
‎Jul 22 2025 12:40 AM
‎Jul 22 2025 12:40 AM

Hey;
Would check to make sure you are assigning the rule to the correct SSID. 

nicdc01_0-1753169699307.png

 

 

Wireless > Configure > Firewall & Traffic Shaping

nicdc01_1-1753169926387.png


Source:
https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Configuring_Simple_Guest_and_Int...

 

 

 

0 Kudos
In response to nicdc01
CarlT
Here to help
‎Jul 22 2025 12:58 AM
‎Jul 22 2025 12:58 AM

It is indeed attached to the correct SSID

0 Kudos
In response to CarlT
nicdc01
Getting noticed
‎Jul 22 2025 1:30 AM
‎Jul 22 2025 1:30 AM

Firmware update or raise a ticket with support.

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 22 2025 3:33 AM
‎Jul 22 2025 3:33 AM

But is it only ICMP that's working, or can you access other internal resources?

 

Can you share a screenshot of the SSID and firewall configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
TBHPTL
Head in the Cloud
‎Jul 22 2025 8:15 AM
‎Jul 22 2025 8:15 AM

To add to what alemabrahao has said , Pinging from where to where and if using ping tools from the dashboard, which screen and tool?...

 

 

Also you said your APs are in NAT mode, if it is NAT mode there is no way it can access the LAN. as the AP each run their own private 10.0.0.0/8 DHCP server  for NAT with each AP having its default gateway of 10.128.128.128 and performing DHCP and for each client WIRELESSLY on the AP . Is it possible you just think you are pinging clients from a wired connection and are actually pinging other destinations on your LAN because your net uses Class A RFC 1918 on the LAN. See these docs:


https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Modes_for_Client_IP_Assignme...

 

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 22 2025 2:07 PM
‎Jul 22 2025 2:07 PM

Clients on the guest WiFi should not be able to ping any RFC1918 address on the LAN with this configuration.  The APs themselves will still be able to ping LAN clients.

0 Kudos
In response to PhilipDAth
TBHPTL
Head in the Cloud
‎Jul 23 2025 1:32 PM
‎Jul 23 2025 1:32 PM

Agreed that why i am asking from where he is pinging,  in the dashboard not all pings are L2 pings....

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.