I saw that article, but it doesn't answer the question.

 

• VLAN Tagging wireless traffic is not supported in NAT mode. 
  • Does this mean is it untagged traffic?
  • Does traffic traverse the native VLAN since it is "untagged?"
  • Or since it is NATing the management IP does it traverse the management VLAN?

Interesting, but doesn't this contradict the practice of completely segmenting management traffic from all user traffic?

I suppose it is, but then again, I'd normally only use Meraki DHCP on deployments that quickly need guest WiFi, and only able to use single vlans.

 

Then again, all clients are isolated from eachother. No client can talk to eachother in NAT mode. Internet access only.

I'm wondering which is more secure, NAT mode or Bridge mode with a L3 rule blocking access to the local LAN?

@RobMcLean NAT mode by default blocks access to the LAN unless you change L3 rules. Just letting you know. 😏

Plus, the first SSID on any network by default will block L3 Wireless > LAN traffic, create a new network and you'll see it 🙂

Thanks for all the replies.

 

I think I am going to go back to a bridge mode guest network , if for nothing else than a more seamless roaming, but I do want my management traffic completely separate.

 

Perhaps if the alternate management IP feature comes out of beta, there will be a way to keep them separate.

My home guest network is in bridge mode too, just on its own VLAN. This means guests that roam between APs keep the same IP address, unlike NAT mode. Was causing issues for iPhone VoWiFi for example

If you only have a single AP, and want to make things 'easy' then NAT mode should be fine. Otherwise I never recommend it. Always use bridge-mode, gives you far more control over things in the future when you didn't know you would need to, and the roaming issue that NAT introduces is a true killer.