[Solved] Help for creating Guest access with LUCI on Meraki MR18

So I must forwarding MerakiInvit to LAN ?

On Meraki Software Cloud, I could create a Guest Wifi with DHCP with IP 10.0.0.1. It was very simple and it was not necessary to create a VLAN

I thought the hardware was running LEDE, not Meraki...the Meraki software didn't allow the MR18 to operate as a router. This is why I said it's no longer an AP, it's an LEDE device.

  • Setup the port for LAN, assign an IP, Gateway IP and DNS server.
  • Delete WAN
  • Configure the SSID
  • Disable DHCP on the LEDE
  • Confirm that wlan0 is added to LAN

Done, with no VLAN needed! I'm not sure why you're finding difficulty.

I think you're forgetting that you device is no longer a Meraki.

If you do this with no Vlan then there is no isolation of guest from the lan, you may as well just hand out the regular wifi password as all guests will have access to all machines on your lan.

1 Like

Lleachii, dlakelan,

I have tested to create a VLAN with 192.168.2.1. But it as very complicated for me. I had problems about VPID and tagged or untagged port. For me it's to hard to understand that.

For the moment, I have one interface : LAN and 2 wifi : Main and Guest. But, as Dlakelan say, i have no isolation.

But for, for my use, i think is sufficient.

On the other hand, I will wait a plug and play soluion for my MR18 :wink:

You want tagged Vlan. If you just made a password free guest SSID and bridged it to your lan you should understand that anyone driving by your house can now access absolutely everything in your house... Not usually considered ideal

As for waiting for a plug and play solution: you will wait forever. The point and click interface in Cisco software works precisely because the cisco router also controls everything the cisco access points do. LEDE specifically is designed around autonomous configuration. There is no "back door" whereby an authorized "LEDE Controller" can come along and tell your Meraki running LEDE to set up a vlan and a new SSID and new DHCP range and soforth. No doubt that is what Cisco's point and click interface does. Of course LEDE has a sufficient set of tools to create a custom solution for that sort of thing... but it is even more complicated than just setting up a vlan and getting things working manually.

As I said before, there is no way to solve this problem by pure configuration of the LEDE access point. It needs to talk to a router that has a connection to the internet, and that router needs to understand the VLAN tags used by the LEDE device, with matching tags on both ends of the wire... Any other solution fails to have secure isolation between LAN and WAN. You can't isolate just the LEDE device... the router won't "hear" it. The router must also be a party to this network design.

What a VLAN does is it tags the packets and sorts them into two streams. This then logically works as if you had two wires between your Cisco router and your Meraki AP, one "virtual wire" is for your LAN and one "virtual wire" is for your guests. The way the system knows which packets are which is that the guest packets have a number, like say 10 "tagged" onto them. Then you'd have an interface like eth0.10 on the Meraki/LEDE box and this would be bridged to the guest SSID. Also on the cisco router box you'd have some kind of vlan eth0.10 equivalent, and every packet sent by the Meraki with the 10 tag would be received by the Cisco router on the eth0.10 (or whatever cisco calls it) interface instead of the eth0 interface... So all traffic along the guest "virtual wire" is isolated from traffic on the LAN "virtual wire"

A "port vlan" is just basically telling the operating system that if a packet arrives on a certain port and has NO tag at all, tag it with the VLAN tag you assign to the port. This is only good if you have multi-port devices connected to switches or the like. What you want is a tagged vlan on the meraki and a corresponding tagged vlan on the Cisco..

Another simple option:

  • make a completely new VLAN with IP, DHCP, etc. on the Cisco
  • add this VLAN to a port on the Cisco as an access port
  • this new VLAN and access port will be for you guest WiFi
  • follow my steps above on the LEDE; and
  • connect the MR18 to the Cisco

You now have isolation; and do not have to configure any VLANs on the LEDE.

But again, to make TWO ISOLATED SSIDs on the MR18 that can also use ports on the Cisco, you have to master VLANs and VLAN trunking. After which, you'll need to know how to assign VLANs and Interfaces in LEDE.

From the Wiki:

VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

In your case, you need to VLAN because you want two or three networks with only one device, possessing only one physical port.

Meraki is "plug-and-play", they likely hid the configs and/or allowed you to route via the access port, then make 2 SSIDs, on 2 separate [V]LANs. You can also do this, but it requires configuration on the local LEDE device (mainly configuring access to the LuCI GUI from the WAN interface - ONLY DO THIS IF YOUR DEVICE IS NOT A PUBLIC BORDER ROUTER).

Thanks all for your help. OK, I will create a VLAN but .... If you help me :wink:

I make some picture to show you my router interface and my system :

Cisco_Router_VLAN

ON picture 2, I must ckick on add row
VLAN ID : 2 (for example)
Description : Meraki
Inter VLAN Routing : ??
Device Managment : ??
Port 1-2-3-4 : Tagged or untagged ?

On picture 3 :
VLAN ID : 2 (the same than picture 2)
IP Adresse : 10.0.0.254 This is possible ?
DHCP Mode : DHCP Server
DNS Proxy Status : ??

What do you think of that ?

Thx.

I'd say picture 2 put Vlan ID 2 tagged on every port no inter Vlan routing, device management doesn't matter I think that's for controlling more Cisco stuff.

Your ideas for picture 3 seem fine, this means Cisco box will hand out DHCP, so you will disable DHCP on lede guest interface.

I don't know what DNS proxy means to Cisco.

On lede box you also config Vlan 2 tagged on every port. Then make a guest interface, bridged between eth0.2 and your guest SSID, turn off DHCP on that guest interface. Voila it should work...

There's something missing...you added a switch...

Please provide the configuration of the Switch mentioned in Picture 1

I can't administrate my switch. My switch is the Cisco SG100D-08

OK...I think you're missing the point of VLANs...

If your switch is unmanaged...you cannot configure VLANs! How would you pass the VLAN from the Cisco to the MR18, if the device in the middle doesn't support it!?!?

You have to connect the MR18 directly to a port on a device that does VLAN trunking:

CISCO <> TRUNK/TAG VLANS 1 and 2 <> DIRECT CONNECTION TO LEDE TAGGED 1 and 2 <> VLAN1 regular Wifi VLAN2 Guest WiFi

Using an unmanaged switch adds unknown factors (i.e. the device could be corrupting/stripping VLAN tags, etc), and a lot more complexity.

1 Like

Arghhh !!! More compexity for me. Impossible to connect MR18 on Cisco router directly ;(

Maybe there is a way to isolate my gest wifi on LEDE. Maybe with a configuration of Firewall

Just try it with the switch... I suspect it will pass the Vlan tags...

1 Like

OK but First, I test the option 'isolate' '1' in Wireless file. Maybe it work . What do you think ?

It's worth a try, but the OP will have to understand, they can't use the switch for normal connections (since all frames crossing the switch will have a VLAN tag).

Yes, this is all possible, but you have to learn how to place the SSIDs on separate VLANs...and you wouldn't have to make a special firewall configuration.

These VLANs only have to exist on the LEDE; but you would still need to setup the WAN on LEDE; and your WiFis would be isolated from your wired traffic on the Cisco:

  • Main network on Cisco (network1)
    • plug in LEDE configured for WAN
      • SSID1/network2
      • SSID2/network3

Caveat : network2 and network3 will only exist for WiFi devices, also, all WiFi users would appear to have a network1 IP, and can therefore reach devices in network1, from the Cisco's point-of-view. Making an Access/Firewall rule for the LEDE's WAN IP on the Cisco can solve that!

That has NOTHING to do with network isolation, it refers to isolating WiFi clients on the same SSID - from each other.

Some unmanaged switches might mangle things, but I suspect a Cisco switch will be capable of forwarding both tagged and untagged frames, just a guess, but a little googling suggests it's worth a try.

Worst case replace the switch with an 8 port managed one... $35 or so

1 Like

OK, option isolate '1' don't work. As you say is to isomate client on the same SSID.

I will try VLAN on my Cisco router and test. I will tell you :wink:

Confirms that it's common for dumb switches to pass Vlan tags just fine

1 Like

And ..... It works !!!

I create a VLAN on my Cisco Router with 10.0.0.254 IP Adresse. I choose Static IP on MR18 LEDE with 10.0.0.1 and set the Gateway to 10.0.0.254 and it's perfect.

Thanks to dlakelan and lleachii for all yours advice.

I hope this thread help another person :wink:

2 Likes