NAT Mode with Meraki DHCP
NAT mode with Meraki DHCP allows an MR access point to provide client addressing by running its own DHCP server to simplify management, allow guest access, and provide client isolation functionality.
Client Addressing in NAT mode with Meraki DHCP
The DHCP server run by the Cisco Meraki AP provides addresses in the 10.0.0.0/8 subnet (10.x.x.x). Outbound connections will be initiated with the LAN IP address of the AP using Network Address Translation. Wireless clients that connect to the network will be given the following configuration via Meraki DHCP:
- An IP address in the 10.0.0.0/8 range. The IP address is created by running the client’s MAC address through a hashing algorithm.
- A gateway address of 10.128.128.128
- A DNS address of 10.128.128.128
- A Lease Time of 24 hours
A wireless network using NAT Mode with Meraki DHCP can be seen below. When clients on the wireless network access resources upstream of the AP, their IP addresses will be translated to the IP address of the AP (192.168.1.1):
Client Isolation
NAT mode with Meraki DHCP isolates clients. Devices with a Meraki DHCP address will be able to access external and internal resources, such as the Internet and LAN (if firewall rules permit). However, connected clients will be unable to contact each other. The client isolation features of Meraki DHCP can be seen in the above figure. Client A and Client B can both access the Internet. When Client A wants to send traffic to Client B, the traffic will reach the AP. However, the AP will not forward this traffic to Client B. Therefore, the two clients are isolated from each other.
Since the client isolation function of NAT mode prevents wireless devices on the SSID from communicating with other wireless devices, NAT mode is not recommended for use with wireless peer-to-peer devices like a wireless printer or Google Chromecast.
Due to the implementation of client isolation, clients on a NAT mode SSID cannot talk to clients on a bridge-mode SSID when both clients are connected to the same AP.
Configuring NAT mode with Meraki DHCP
To configure NAT mode with Meraki DHCP on an SSID, follow the directions below:
- Navigate to Wireless > Configure > Access control
- Select the appropriate SSID from the SSID menu at the top of the page
- Under the Client IP and VLAN section, select Meraki AP assigned (NAT mode), as seen in the image below
- Click Save
Common Problems
There are a few common problems that can arise when deploying NAT mode with Meraki DHCP to provide client addressing. These problems are outlined in detail below:
- Roaming - NAT mode with Meraki DHCP will use the IP address of the AP as the public IP address for wireless clients. When a client roams between APs with Meraki DHCP, TCP connections will drop and have to be re-established. This can cause problems with some applications and devices.
- Bonjour and multicasting protocols - The client isolation features of Meraki DHCP will prevent wireless clients from communicating with each other. This will prevent Bonjour, layer 2 discovery protocols, and multicasting protocols from working. This can cause problems in networks that use Bonjour among wireless clients, or have IP phones or applications that require multicasting.
-
Group Policy “Security appliance only” settings - Client information (such as MAC address and IP address) is hidden from an upstream MX due to NAT being performed on a downstream MR. As a result, the MX won’t be able to enforce group policy settings specific to security appliances only for clients connected to an SSID using Meraki DHCP.
- Inbound client connections - NAT mode with Meraki DHCP prevents inbound connections to a wireless client. This can cause problems if a wireless client needs to be accessible from a different network. The image below illustrates this problem. A connection, such as a remote desktop session, from the wired client to wireless client A will fail. Other common examples include failed wireless LAN connections to Chromecast devices, AirPlay enabled devices, printers or projectors.
The issues described above can be resolved by using bridge mode for client addressing. Bridge mode simply passes traffic between the wireless client and wired distribution system. An upstream DHCP server will be required to handle client addressing.
Additional Resources
For additional information about NAT mode with Meraki DHCP and client addressing, please consult the following documentation: