Tuesday, July 20, 2021

Guest Wi-Fi: Meraki NAT mode or pfSense VLAN?

I'm creating a separate guest network for clients to access Wi-Fi but am unsure of what would be the best approach to set this up. Guest clients obviously don't need any printer access, and it seems safer to ensure they are unable to communicate with each other, too. It seems Meraki NAT mode handles this. Per the dashboard:

Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other, but they may communicate with devices on the wired LAN if the SSID firewall settings permit.

However, I also appreciate the flexibility and power that pfSense gives me. Presently, we have separate VLANs for different networks. This is all configured on our pfSense firewall.

My question here is whether it makes more sense to configure NAT mode for the SSID within Meraki or whether I should create a separate VLAN in pfSense and configure the necessary rules here? I'm not entirely sure the magic behind Meraki's NAT mode, but it seems that even though all clients are connected on the same LAN using the 10.0.0.0/8 DHCP scope, the WAP will actually be able to reject traffic designated for clients on that same network. This is pretty cool, and would make sense here since we theoretically wouldn't want clients on guest network to communicate with one another. I'm not sure if something similar exists in pfSense.



No comments:

Post a Comment