https://community.cisco.com/t5/wireless/nat-mode/m-p/5506953#M303167 <P>How do we migrate wireless clients from Meraki DHCP(NAT Mode) to an internal DHCP server(Bridge Mode) seamlessly? Any Suggestions.</P> Wed, 08 Jun 2022 06:02:40 GMT SMANNE1 2022-06-08T06:02:40Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506941#M303155 <P>I have a simple question:</P><P>What VLAN does traffic from a SSID set to NAT mode traverse?</P> Wed, 15 Apr 2020 11:24:12 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506941#M303155 rbmclean 2020-04-15T11:24:12Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506942#M303156 <P class="_mce_tagged_br">The implications of enabling NAT mode are as follows:</P><UL><LI>Devices outside of the wireless network cannot initiate a connection to a wireless client.</LI><LI>Wireless clients cannot use Layer 2 discovery protocols to find other devices on either the wired or wireless network.</LI><LI>Legacy VPN clients (i.e., those that do not support NAT Traversal) may not be able to establish IPSec tunnels over the wireless network. (One workaround is to upgrade the VPN client or configure the VPN client to establish an IPSec tunnel over TCP, e.g. SSL.) </LI><LI><A title="VLAN Tagging" href="https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging" target="_blank" rel="internal noopener nofollow noreferrer">VLAN Tagging</A> wireless traffic is not supported in NAT mode. </LI></UL><DIV class="note-warning style-wrap"><P>Please note that each AP will NAT to its own management IP address. As a result, LAN flows will be interrupted when the client roams between APs.</P></DIV><DIV class="note-info style-wrap"><P>The DHCP service for NAT mode will only hand out addresses in the 10.0.0.0/8 subnet. SSIDs in NAT mode can still be used on wired networks already using a 10.x.x.x address space, however clients on the NAT SSID may be unable to communicate with these networks.</P></DIV><DIV class="mt-section"><H3 id="toc-hId-1160724897">Use Cases</H3><P>NAT mode works well for providing a wireless guest network, since it puts clients on a private wireless network with automatic addressing. Layer 3 firewall rules can also be used to quickly limit or block access to network resources.</P></DIV> Wed, 15 Apr 2020 12:26:33 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506942#M303156 kYutobi 2020-04-15T12:26:33Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506943#M303157 <P>I saw that article, but it doesn't answer the question.</P><UL><LI><A title="VLAN Tagging" href="https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging" target="_blank" rel="internal noopener nofollow noreferrer">VLAN Tagging</A><SPAN> wireless traffic is not supported in NAT mode. </SPAN><UL><LI><SPAN>Does this mean is it untagged traffic?</SPAN></LI><LI>Does traffic traverse the native VLAN since it is "untagged?"</LI><LI>Or since it is NATing the management IP does it traverse the management VLAN?</LI></UL></LI></UL> Wed, 15 Apr 2020 12:42:41 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506943#M303157 rbmclean 2020-04-15T12:42:41Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506944#M303158 Since NAT is performed directly on the AP, traffic will traverse on the same VLAN as the AP has it's IP address.<BR /><BR />So if the AP has an IP address 192.168.5.0/24 on vlan 5, traffic traverses on vlan 5. Wed, 15 Apr 2020 12:59:18 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506944#M303158 Rasmus Hoffmann Birkelund 2020-04-15T12:59:18Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506945#M303159 Interesting, but doesn't this contradict the practice of completely segmenting management traffic from all user traffic? Wed, 15 Apr 2020 13:07:43 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506945#M303159 rbmclean 2020-04-15T13:07:43Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506946#M303160 <P>I suppose it is, but then again, I'd normally only use Meraki DHCP on deployments that quickly need guest WiFi, and only able to use single vlans.</P><P>Then again, all clients are isolated from eachother. No client can talk to eachother in NAT mode. Internet access only.</P> Wed, 15 Apr 2020 13:15:05 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506946#M303160 Rasmus Hoffmann Birkelund 2020-04-15T13:15:05Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506947#M303161 <P>I'm wondering which is more secure, NAT mode or Bridge mode with a L3 rule blocking access to the local LAN?</P> Wed, 15 Apr 2020 13:22:46 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506947#M303161 rbmclean 2020-04-15T13:22:46Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506948#M303162 <P><A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/40638">@rbmclean</A> NAT mode by default blocks access to the LAN unless you change L3 rules. Just letting you know. <SPAN class="lia-unicode-emoji" title=":smirking_face:"><span class="lia-unicode-emoji" title=":smirking_face:">😏</span></SPAN></P> Wed, 15 Apr 2020 13:27:00 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506948#M303162 kYutobi 2020-04-15T13:27:00Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506949#M303163 Plus, the first SSID on any network by default will block L3 Wireless &gt; LAN traffic, create a new network and you'll see it <SPAN class="lia-unicode-emoji" title=":slightly_smiling_face:"><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN> Wed, 15 Apr 2020 13:29:29 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506949#M303163 ConnorL1 2020-04-15T13:29:29Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506950#M303164 <P>Thanks for all the replies.</P><P>I think I am going to go back to a bridge mode guest network , if for nothing else than a more seamless roaming, but I do want my management traffic completely separate.</P><P>Perhaps if the alternate management IP feature comes out of beta, there will be a way to keep them separate.</P> Wed, 15 Apr 2020 13:36:24 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506950#M303164 rbmclean 2020-04-15T13:36:24Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506951#M303165 My home guest network is in bridge mode too, just on its own VLAN. This means guests that roam between APs keep the same IP address, unlike NAT mode. Was causing issues for iPhone VoWiFi for example Wed, 15 Apr 2020 13:39:53 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506951#M303165 ConnorL1 2020-04-15T13:39:53Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506952#M303166 If you only have a single AP, and want to make things 'easy' then NAT mode should be fine. Otherwise I never recommend it. Always use bridge-mode, gives you far more control over things in the future when you didn't know you would need to, and the roaming issue that NAT introduces is a true killer. Wed, 15 Apr 2020 16:11:12 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506952#M303166 Nolan H. 2020-04-15T16:11:12Z https://community.cisco.com/t5/wireless/nat-mode/m-p/5506953#M303167 <P>How do we migrate wireless clients from Meraki DHCP(NAT Mode) to an internal DHCP server(Bridge Mode) seamlessly? Any Suggestions.</P> Wed, 08 Jun 2022 06:02:40 GMT https://community.cisco.com/t5/wireless/nat-mode/m-p/5506953#M303167 SMANNE1 2022-06-08T06:02:40Z