I've dealt with this using a workaround for locations without an upstream firewall. Workaround: Apply a traffic shaping rule to limit bandwidth on port 53 and other ports that might be used by a VPN. Users attempting to bypass splash pages to access the internet over VPN will not likely use your network if they only get 100 Kbps. Real Solution: Use an upstream MX or other firewall to block VPN attempts on port 53. Make sure not to block your DNS server such as 8.8.8.8. Root Cause: When client devices connect to the MR they are placed in a captive portal policy and the MR firewall rules (L3 and L7) do not get applied to the client devices until after they authenticate with the captive portal. However the traffic shaping rules are indeed applied to clients, and you can limit the throughput of VPN traffic. Documentation error: In my testing, MR Traffic shaping rules are indeed applied before splash page authentication. "When splash page authentication is configured, captive portal strength settings take precedence over configured traffic shaping and firewall rules. This means traffic shaping and firewall rules will only apply after Splash page authentication has occurred successfully." Documentation Link: https://documentation.meraki.com/MR/MR_Splash_Page/Configuring_Splash_Page_Authentication_with_an_LDAP_Server ... View more