Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

On Guest SSID, we cannot receive outside email (hotmail, gmail, etc)

Announcer
Getting noticed
‎Dec 15 2023 10:37 AM
‎Dec 15 2023 10:37 AM

On Guest SSID, we cannot receive outside email (hotmail, gmail, etc)

I have a guest ssid that has Meraki AP assigned Nat mode, which has deny all to local LAN.  When users connect their mobiles to this network they do not receive email from hotmail, gmail, etc.  The will receive it if they go on the coorporate network.  I believe it may be a dns issue and cannot find outgoing mail servers?  Any help would be appreciated.

thanks.

0 Kudos
Subscribe
14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 15 2023 10:50 AM
‎Dec 15 2023 10:50 AM

You know that when it is in NAT mode the client uses the AP's IP for communication, so if you have a Firewall rule that restricts the network the AP is on, that is a possible explanation.
 
Let us know a little more about your network, do you have a firewall that filters content?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
Announcer
Getting noticed
‎Dec 15 2023 11:14 AM
‎Dec 15 2023 11:14 AM

under client id and vlan for the SSID, I have 8.8.8.8 as the dns sever.  The AP ip is on the corporate network.

0 Kudos
Subscribe
In response to Announcer
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 15 2023 11:17 AM
‎Dec 15 2023 11:17 AM

Okay, but the question is, do you have any content filters? Any firewall rules that may be impacting?
 
We have to evaluate all possibilities.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to Announcer
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 15 2023 11:36 AM
‎Dec 15 2023 11:36 AM

A simple test is to connect a machine to the network and run some tests, such as ping, nslookup, traceroute, etc.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 17 2023 10:26 AM
‎Dec 17 2023 10:26 AM

Are they able to access the Internet in general when using the guest SSID?

 

Do the APs get an IP address in the same range as the general corporate users, who are working?

 

Do you see your firewall reporting that anything is being blocked when the issue is happening?

 

Do the android devices have any kind of proxy server configured?

0 Kudos
Subscribe
In response to PhilipDAth
Announcer
Getting noticed
‎Dec 19 2023 8:25 AM
‎Dec 19 2023 8:25 AM

A bit more info here:

Yes, the AP gets an internal address in same rage as corporate network.
There are not proxys.
Internet is accessible from all connecting to guest ssid

There are no content policies or firewall rules explicitly affecting this guest ssid

I have added 8.8.4.4 to the DNS as well.

0 Kudos
Subscribe
In response to Announcer
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 19 2023 8:27 AM
‎Dec 19 2023 8:27 AM

Can you share any tests you have performed?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Announcer
Getting noticed
‎Dec 19 2023 8:48 AM
‎Dec 19 2023 8:48 AM

When I connect a laptop to the guest ssid, traceroute to hotmail.com and nslookup to hotmail.com produce the same results as when you do it from the corporate network.

 

I ran a wireshark and it seems port 993 and 465 are being blocked (smtp outgoing and incoming).  What I don't get is that I'm not explicitly blocking these ports in the firewall.  I will open them up to see if it solves the issue.

0 Kudos
Subscribe
In response to Announcer
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 19 2023 9:05 AM
‎Dec 19 2023 9:05 AM

Ok, is there no other application that you are blocked from? Don't forget that the MR also has a firewall, have you already validated how the firewall part is in the MR?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Announcer
Getting noticed
‎Dec 19 2023 9:33 AM
‎Dec 19 2023 9:33 AM

I explicitly opened up port 993, 587, 465 for outgoing and we are receiving all emails now.  The MR only has deny to local, and allow any any for the firewall.  I still find it strange, but I guess it's working now.

0 Kudos
Subscribe
In response to Announcer
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 21 2023 11:26 AM
‎Dec 21 2023 11:26 AM

It's normal, I suggest you create a specific VLAN for Guest Network.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Dec 20 2023 6:40 PM
‎Dec 20 2023 6:40 PM

Why don't you just create a guest subnet and segregate this traffic using a VLAN. Using NAT will make it difficult to troubleshoot upstream because all of the traffic is coming from the AP's IP. 

btr.net.nz
Subscribe
UKDanJones
Building a reputation
‎Dec 27 2023 12:54 AM
‎Dec 27 2023 12:54 AM

Using Meraki NAT is never good as clients ‘hard roam’ (get a new IP) every time they change AP. 

 

You should definitely look at creating a guest VLAN

Please feel free to hit that kudos button
0 Kudos
Subscribe
In response to UKDanJones
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 27 2023 10:41 AM
‎Dec 27 2023 10:41 AM

Negative.  Clients get an IP addressed derived from their MAC address.  You will.aleays get exactly the same IP address every day of the year on every AP.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.