[MR16] Unable to connect to printer from isolated WLAN, printer connected to bridged SSID

Dmunoz
Just browsing

[MR16] Unable to connect to printer from isolated WLAN, printer connected to bridged SSID

Hi,

 

I have some clients connected to an MR16, namely an Epson printer, and some clients, and those clients are unable to connect and print.

 

The LAN network is configured as following:

 

  • One MX64 as gateway
  • One Cisco Catalyst switch (bui I guess it dos not matter, as it)
  • Some MR16 connected to the LAN via Ethernet
  • Some non-Meraki APs connected to the LAN via Ethernet, WLAN configured in bridge mode
  • Some clients connected directly to the local LAN via Ethernet, or via Wi-Fi through those non-Meraki APs
  • Few clients connected to the local LAN via the MR16 in bridge mode (including the printer)
  • Most of the clients connected to the isolated Meraki WLAN

 

The Meraki WLAN network is configured as following:

 

  • An SSID configured as isolated WLAN (Meraki DHCP via NAT)
  • An dedicated SSID configured as Bridge, for printers (in order to be part of the LAN) (Layer 2 LAN isolation is disabled)

The department I'm configuring the printer has the following settings:

 

  • One desktop connected directly to the LAN
  • An MR16 connected the LAN (same segment)
  • Some clients connected to the Isolated WLAN's SSID at the MR16
  • An Epson printer connected to the Bridged WLAN's SSID at the MR16

What happened:

 

  • Clients under the isolated WLAN can successfully connect to the local LAN, then, print to the mayor printers.
  • Clients under the LAN (directly connected or through non-Meraki APs) can connect to the Epson printer
  • However, the clients connected to the isolated WLAN's SSID are unable to connect to the Epson printer.

So, may have me an issue with the configuration, or is just a feature misconfigured?

 

Thanks.

 

 

6 Replies 6
MacuserJim
A model citizen

You are wanting the clients on the isolated (NAT'd) SSID to print to the Epson printer? You are isolating them so they can't see other clients. I would suggest you create an actual VLAN to have that SSID drop clients into, and then add firewall rules to allow clients in that VLAN to see/print to the Epson printer.

Dmunoz
Just browsing

Yep, everything is inside the same VLAN (192.168.2.0/24), both the MR16 and the clients connected to the Bridged SSID.
Bruce
Kind of a big deal

When you are using client isolation on the wireless is only allows traffic to the subnet gateway, see Wireless Client Isolation. Therefore if you have everything in one VLAN using the same subnet then the clients in the isolated WLAN can only communicate with the gateway IP address. If you move the isolated WLAN to another subnet then they should be able to communicate with the printers since the traffic will go via the subnet gateway.

Dmunoz
Just browsing

So, what should be the expected behavior if I set a second VLAN at the  firewall, then set the default VLAN at the AP gateway to the new VLAN? I'm unable to "play" with configs chabging at least for now, this is why I ask this.

Bruce
Kind of a big deal

So I just re-read your description, are the clients with problems on the SSID that is using the Meraki DHCP? And does the rest of the network use the 192.168.2.0/24 subnet?

Bossnine
Building a reputation

Just like it says on the configuration page

 

"NAT mode: Use Meraki DHCP

Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other, but they may communicate with devices on the wired LAN if the SSID firewall settings permit.
 
Under those firewall settings I've had to allow access to specific internal resources for Nat mode clients.
 
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels