I have a guest ssid that has Meraki AP assigned Nat mode, which has deny all to local LAN. When users connect their mobiles to this network they do not receive email from hotmail, gmail, etc. The will receive it if they go on the coorporate network. I believe it may be a dns issue and cannot find outgoing mail servers? Any help would be appreciated.
thanks.
under client id and vlan for the SSID, I have 8.8.8.8 as the dns sever. The AP ip is on the corporate network.
A simple test is to connect a machine to the network and run some tests, such as ping, nslookup, traceroute, etc.
Are they able to access the Internet in general when using the guest SSID?
Do the APs get an IP address in the same range as the general corporate users, who are working?
Do you see your firewall reporting that anything is being blocked when the issue is happening?
Do the android devices have any kind of proxy server configured?
A bit more info here:
Yes, the AP gets an internal address in same rage as corporate network.
There are not proxys.
Internet is accessible from all connecting to guest ssid
There are no content policies or firewall rules explicitly affecting this guest ssid
I have added 8.8.4.4 to the DNS as well.
Can you share any tests you have performed?
When I connect a laptop to the guest ssid, traceroute to hotmail.com and nslookup to hotmail.com produce the same results as when you do it from the corporate network.
I ran a wireshark and it seems port 993 and 465 are being blocked (smtp outgoing and incoming). What I don't get is that I'm not explicitly blocking these ports in the firewall. I will open them up to see if it solves the issue.
Ok, is there no other application that you are blocked from? Don't forget that the MR also has a firewall, have you already validated how the firewall part is in the MR?
I explicitly opened up port 993, 587, 465 for outgoing and we are receiving all emails now. The MR only has deny to local, and allow any any for the firewall. I still find it strange, but I guess it's working now.
It's normal, I suggest you create a specific VLAN for Guest Network.
Why don't you just create a guest subnet and segregate this traffic using a VLAN. Using NAT will make it difficult to troubleshoot upstream because all of the traffic is coming from the AP's IP.
Using Meraki NAT is never good as clients ‘hard roam’ (get a new IP) every time they change AP.
You should definitely look at creating a guest VLAN
Negative. Clients get an IP addressed derived from their MAC address. You will.aleays get exactly the same IP address every day of the year on every AP.