Meraki

Community

NAT Mode

Solved
RobMcLean
Getting noticed
‎Apr 15 2020 4:24 AM
‎Apr 15 2020 4:24 AM

NAT Mode

I have a simple question:

 

What VLAN does traffic from a SSID set to NAT mode traverse?

 

 

0 Kudos
1 Accepted Solution
In response to RobMcLean
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Apr 15 2020 5:59 AM
‎Apr 15 2020 5:59 AM

Since NAT is performed directly on the AP, traffic will traverse on the same VLAN as the AP has it's IP address.

So if the AP has an IP address 192.168.5.0/24 on vlan 5, traffic traverses on vlan 5.
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

View solution in original post

12 Replies 12
kYutobi
Kind of a big deal
‎Apr 15 2020 5:26 AM
‎Apr 15 2020 5:26 AM

The implications of enabling NAT mode are as follows:

  • Devices outside of the wireless network cannot initiate a connection to a wireless client.
  • Wireless clients cannot use Layer 2 discovery protocols to find other devices on either the wired or wireless network.
  • Legacy VPN clients (i.e., those that do not support NAT Traversal) may not be able to establish IPSec tunnels over the wireless network. (One workaround is to upgrade the VPN client or configure the VPN client to establish an IPSec tunnel over TCP, e.g. SSL.) 
  • VLAN Tagging wireless traffic is not supported in NAT mode.  

Please note that each AP will NAT to its own management IP address. As a result, LAN flows will be interrupted when the client roams between APs.

The DHCP service for NAT mode will only hand out addresses in the 10.0.0.0/8 subnet. SSIDs in NAT mode can still be used on wired networks already using a 10.x.x.x address space, however clients on the NAT SSID may be unable to communicate with these networks.

Use Cases

NAT mode works well for providing a wireless guest network, since it puts clients on a private wireless network with automatic addressing. Layer 3 firewall rules can also be used to quickly limit or block access to network resources.

Enthusiast
In response to kYutobi
RobMcLean
Getting noticed
‎Apr 15 2020 5:42 AM
‎Apr 15 2020 5:42 AM

I saw that article, but it doesn't answer the question.

 

  • VLAN Tagging wireless traffic is not supported in NAT mode. 
    • Does this mean is it untagged traffic?
    • Does traffic traverse the native VLAN since it is "untagged?"
    • Or since it is NATing the management IP does it traverse the management VLAN?
0 Kudos
In response to RobMcLean
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Apr 15 2020 5:59 AM
‎Apr 15 2020 5:59 AM

Since NAT is performed directly on the AP, traffic will traverse on the same VLAN as the AP has it's IP address.

So if the AP has an IP address 192.168.5.0/24 on vlan 5, traffic traverses on vlan 5.
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
RobMcLean
Getting noticed
‎Apr 15 2020 6:07 AM
‎Apr 15 2020 6:07 AM

Interesting, but doesn't this contradict the practice of completely segmenting management traffic from all user traffic?
0 Kudos
In response to RobMcLean
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Apr 15 2020 6:15 AM
‎Apr 15 2020 6:15 AM

I suppose it is, but then again, I'd normally only use Meraki DHCP on deployments that quickly need guest WiFi, and only able to use single vlans.

 

Then again, all clients are isolated from eachother. No client can talk to eachother in NAT mode. Internet access only.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
RobMcLean
Getting noticed
‎Apr 15 2020 6:22 AM
‎Apr 15 2020 6:22 AM

I'm wondering which is more secure, NAT mode or Bridge mode with a L3 rule blocking access to the local LAN?

0 Kudos
In response to RobMcLean
kYutobi
Kind of a big deal
‎Apr 15 2020 6:27 AM
‎Apr 15 2020 6:27 AM

@RobMcLean NAT mode by default blocks access to the LAN unless you change L3 rules. Just letting you know. 😏

Enthusiast
0 Kudos
In response to kYutobi
ConnorL
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Apr 15 2020 6:29 AM
‎Apr 15 2020 6:29 AM

Plus, the first SSID on any network by default will block L3 Wireless > LAN traffic, create a new network and you'll see it 🙂
0 Kudos
In response to ConnorL
RobMcLean
Getting noticed
‎Apr 15 2020 6:36 AM
‎Apr 15 2020 6:36 AM

Thanks for all the replies.

 

I think I am going to go back to a bridge mode guest network , if for nothing else than a more seamless roaming, but I do want my management traffic completely separate.

 

Perhaps if the alternate management IP feature comes out of beta, there will be a way to keep them separate.

0 Kudos
In response to RobMcLean
ConnorL
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Apr 15 2020 6:39 AM
‎Apr 15 2020 6:39 AM

My home guest network is in bridge mode too, just on its own VLAN. This means guests that roam between APs keep the same IP address, unlike NAT mode. Was causing issues for iPhone VoWiFi for example
0 Kudos
In response to ConnorL
NolanHerring
Kind of a big deal
‎Apr 15 2020 9:11 AM
‎Apr 15 2020 9:11 AM

If you only have a single AP, and want to make things 'easy' then NAT mode should be fine. Otherwise I never recommend it. Always use bridge-mode, gives you far more control over things in the future when you didn't know you would need to, and the roaming issue that NAT introduces is a true killer.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
SMANNE
New here
‎Jun 7 2022 11:02 PM
‎Jun 7 2022 11:02 PM

How do we migrate wireless clients from Meraki DHCP(NAT Mode) to an internal DHCP server(Bridge Mode) seamlessly? Any Suggestions.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.