If you have the ability and can plug directly into the MX do you see the same behavior? When doing this if you can remove all other LAN connections and if you have any default routing over a VPN please disable it for the testing. If the issue persists I would recommend opening a support case to have a Meraki Engineer look into the behavior.  ... View more

You do have the ability as well to configure the RF profile in which you can lower the MAX radio transmit power range or configure minimum bitrate both of which would affect the range of signal and may stop the device from connection attempts to a farther away AP but as Karstenl stated this is a client decision as to where it connects.    More on RF profiles can be found within this Meraki Documentation. ... View more

So yes in this case you would need to use bridge mode and enable the L2 LAN isolation feature and put in the firewall rules to allow/deny on the Wireless > Firewall page to allow certain traffic such as DHCP/DNS/Gateway access and then deny the rest.    Mor information on the feature and its setup can be found here. ... View more

Typically, I would look at the current power output that the problem APs are putting out along with the environment directly to see if there is anything that may be creating interference with the signal for those particular APs. Are you noticing the issue more on 2.4 Ghz or 5 Ghz bands or both? How are the APs Mounted are they ceiling mounted or are they mounted to a post?  ... View more

Is the wireless built into the MX or are you using MR APs?    If using MR APs to configure/broadcast the SSID setting the configuration to NAT mode using the 10.0.0.0/8 by default will segregate the traffic for the clients and isolate the clients so that they cannot communicate with one another. An additional recommendation to keep it a true guest network is to also modify/ensure that on the Wireless > Firewall settings for the SSID the rule to allow local LAN traffic is set to Deny. If you have to use bridge mode the L2 client isolation feature and block local lan firewall can be used as well but you would need to allow several things such as the gateway ip, DNS server ip if they are local, or anything else that may prevent the client device from reaching internet or resources they should have access to.    The MX configuration would differ a bit as you would need to allow specific addresses (gateway, DNS, printers, etc) for things that guests would need access to and then deny everything else so it becomes a bit more involved but still doable.  ... View more

Greetings,   Where in the aisle does the inconsistent signal range issue start happening? Is there anything different near the problematic APs such as any inventory or obstructions that may cause signal interference? For the problematic vs non-problematic APs is there any difference in the actual power the APs are using? If you move an AP that is not having issues with an AP that is having issue does the problem stay in the location or does it follow the AP? Is the issue at the same end of an aisle or in the same area only or does it span throughout the warehouse?    I highly recommend opening a case with support and provide the Ekahau survey taken for the engineer to parse through to collaborate on what may be causing the issue. The reason for this ask is that not knowing the floorplan or the full network setup it will be difficult to recommend anything based on what you are seeing so far and the best option is to have support engaged to deep dive the environment.      ... View more

The options for this are limited to either API or Manual unless your networks are bound to a Configuration Template which would then allow you to modify this setting at the template level instead of managing this at the network level.    For the API calls you can use the GET/PUT Network Appliance VLANs in order to build your script. The linked document also has a sample JSON output to help build out your script.  ... View more

I would not suspect the secondary MX unless the HA pair was showing as Master/Master in the dashboard as that may cause some confusion for the upstream device. I would also question the switch port configuration on the ISP equipment to see if a VLAN mismatch is causing any problems in the forward of traffic since this worked as expected with just a single MX in place. In this instance not using the shared IP of the MX may be causing problems with the 2 appliances having different IPs if they are both master at the present time.  If when you power of the spare MX appliance and if things start working as expected I would request you call in and work with support opening the original ticket if its still not open and outline the troubleshooting done as you can then clearly narrow it down to the HA pairing especially if the Primary MX is working through the Ubiquit switch.  Are or have either of the MX appliances been alerting in the dashboard or have you seen any failover from primary to spare? I ask this as if the spare is in secondary it will only do the management connectivity items used to ensure its able to be online in the Meraki Dashboard and that it has internet connectivity. If the MX appliances both show Master there may be a routing issue connected as they could potentially both be receiving the inbound traffic.  ... View more

Greetings, Prior to adding the Spare MX appliance was this the same configuration from ISP switch > your switch > MX appliance? Were the 1:Many NAT rules in place and working prior to the addition of the secondary MX? If you power off the secondary MX do the rules start working as configured? What sort of swith are you utilizing between the ISP and the Meraki MX pairing? What are the port configurations for this switch?  If the same behavior is still in place where the MX is not receiving on the WAN captures even with the spare powered off it would be great to have the captures from your switch both on the port connected to the ISP switch along with the port connected to the MX to ensure that the swtich is properly receiving/sending the traffic over the required ports. Is it possible to plug the MX directly into the ISP switch (either just the primary or the HA Pair) to bypass the additional switch in between? This may be beneficial if your capture from your switch shows the same behavior where you are not seeing the inbound traffic for the 204, 205, and 206 IP addresses and would then be easier to ask the ISP where that traffic is going since its not making it to the MX appliance.      ... View more