I'm looking for help to creating a guest wifi access with LUCI/LEDE with my Meraki MR18. This is my system :
Internet box : 192.168.1.1
Cisco Router : 192.168.1.254 and 192.168.0.254
Meraki MR18 : 192.168.0.11.
I have created an acces wifi on my MR18 and all is perfect. But, when I want to created a guest access, i have a lot of difficulties (Maybe because the MR18 is just an access point). I read lot of tutorials to do that but it still not working.
I'm not sure how this would be configured on an access point, but it would likely require creating a separate vLAN for the Guest network, creating firewall rules to allow it access to the WAN Gateway, and creating firewall rules to block all other traffic from the Guest Network.
Normally when a Guest network is created on the WAN facing router, forwarding would be blocked from Guest -> LAN, but allowed for Guest -> WAN, however this isn't possible on an access point since it isn't configured with a WAN network.
You're right, the MR18 don't have WAN port. It's just an acces point with one ethernet port.
I read this post : TpLink TL-WA801ND v3 - LEDE 17.01.4 - Vlan Configuration
I think this is the same problem but i don't understand all.
Instead of a wan port you will need a wan Vlan... This is nontrivial the first time you set it up because you have to read up on what a Vlan is and how to configure them. It is very situation specific how you would want it set up... There isn't really a shortcut
I can say that each port can have only one untagged Vlan, so you probably need a tagged Vlan, in which each packet on the wire carries a Vlan ID with it.
Might be a good starting point. Once you understand the concept, how to configure it is much easier
If you go this way the router your AP talks to will also need to have that Vlan set up as well
I hope others were able to assist with the VLAN, etc...I am somewhat lost, though:
It's not "just an AP..." it's an LEDE device now, you just have to properly configure it.
I'm wondering why you have 2 upstream routers,
why you're not masquerading on the LAN, and
why you configured forwarding from your Guest WiFi to WAN, when your upstream connection is actually on LAN,
are you trying to NAT, ROUTE OR BRIDGE the upstream device,
etc.
NO, from your own picture, there's a WAN. YOU HAVE TO CONFIGURE THE MR18 PROPERLY. THIS WILL LIKELY REQUIRE VLANs, SINCE YOU HAVE LESS PHYSICAL PORTS FOR USE. Per @dlakelan, you may wish to learn more about VLANs, trunked ports (possessing a VLAN frame tag) and access ports (not possessing a VLAN frame tag).
@polarrys The question you have to ask yourself in order to figure out how to configure your system is:
When a packet comes in via your guest wifi, and needs to go to the internet via a router, how does it get to the router? How does the router know that it's a guest packet vs a "regular" packet? If you read up on VLANS and then can answer that fundamental question, then you'll be pretty good to go.
It's really not just about the MR18, you will need to make your router communicate with your MR18 in such a way that the reverse routing: from the internet, to your router, to your MR18 and out of the "guest" SSID also works. The problem is not solvable strictly by configuration of the MR18 alone.
i have corrected my mystake. Right is 192.168.0.254 of course.
I'm sure that one people have realized this on MR18. I will check. I will search a tuto about that.
Yes, my MR18 has LEDE now but it's more complicated that Cisco Meraki software
Why you say I have 2 routers ? I have only one router : a Cisco RV 180W.
I don't know what is masquereading on the LAN
I thinked that it was possible to link Guest acces with WAN directly
I just one to creat 2 SSID : a main with all access and a guest with limted access
On my picture I see the WAN (linked to LAN). I will read informations about VLAN.
Maybe it exist a more simple system to created a guest access (I hope)
As @dlakelan said. You will have to configure the Cisco device properly, as well. You will likely have to enable VLAN trunk ports between the Cisco and LEDE device.
Yes, make it a tagged vlan on the Cisco RV 180W (which is your actual router), and then make a tagged vlan on your Meraki with the same tag number. then bridge the second SSID on the meraki with the tagged vlan interface on the Meraki, making a single "Guest" interface. Then, provided that your cisco has correct firewall rules etc, your packets will flow from Guest interface to the wire tagged with the vlan, and then out to the RV180W, which routes it out to the internet via NAT (for IPv4) and then takes the return packet, and routes it down the vlan interface to the Meraki... which sees the vlan tag and knows to bridge it to the WLAN guest SSID.... If you understand that flow... you can get what you want.
You probably want the Guest Vlan to be on a separate ip subnet, 192.168.1.0/24 for example, and the Cisco RV180W to have an IP on this subnet say 192.168.1.1 associated with the VLAN interface on the 180W. Then clients on the guest vlan will get their ip addresses via DHCP either handed out by the Meraki, or handed out by the Cisco RV180W but not both choose which one you want to be in charge.
Also, consider if you want ipv6 here... depends on your situation. But again, should be a separate network number.
