Re: Client isolation

Karl Jacobsen · ‎07-18-2025

I have several networks setup as Meraki AP assigned (NAT mode). I absolutely love this feature. It lets me quickly deploy an Internet only network and everything is self contained in Meraki. I typically use this for visiting groups coming to our campus for short stays, kind of a quick, limited time, guest network. The only problem I run into is due to the client isolation feature, there's no way to print from this network. What are others doing to provide access to a wireless printer on a Meraki AP assigned network? Is there any way to allow sharing to one device as an exception or is there a cloud print service that would work?

Raphael_L · ‎07-18-2025

If you use recent firmware you can whitelist the MAC of your printer

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

Karl Jacobsen · ‎07-18-2025

Ah, I've done this before but I thought it was only for traffic shaping rules and splash page override. Does it affect the client isolation rule?

Raphael_L · ‎07-18-2025

You are confusing some other feature.

What I'm refering to is :

We have added the ability to allow specific MAC addresses to "break" the L2 isolation, up to 16 MAC addresses can be defined in this list.

In the case of a network where you want isolation, but have a common resource like a printer that needs to be available.

Karl Jacobsen · ‎07-18-2025

It took a little digging to find this but I found it. I have to enable bridge mode on the network. If I do, I can't use Meraki AP assigned (NAT mode) which relies on my DHCP servers and not on the Meraki equipment itself.

Raphael_L · ‎07-18-2025

Bridge the SSID , Tag the vlans and where ever those vlans are configured just configure the relays to your DHCP servers.

DainBrammage · ‎07-18-2025

Bridged Mode . This is the way... When you are using MerakiDHCP/NAT mode EACH AP is its own mini DHCP/PROXY island and EACH AP is doing its own thing, its a security mechanism of sorts. but as you have discovered it has its limitations. It also cause issues with roaming and application that require smooth roaming like voice etc.

nicdc01 · ‎07-21-2025

With NAT mode you might struggle there. The AP runs the DHCP Server so there is not really much you can do from this point as you cant route traffic in anyway. One limitation there.

If you use WPN on the network you can achieve the same type of client isolation however this only works when using Identity PSK without Radius. Splash Access also has some solutions for this.
I managed to by pass this by segmenting the printer onto a different VLAN (if wired) and allowing in the 'User' SSID, Wireless > Access Control > External DHCP Server Assigned > Bonjour Forwarding to allow Printer Traffic.

This does mean you have to switch to bridged to break the limitation.

Brash · ‎07-21-2025

As has been said above, Bridge mode is the only way to do it.

As much as Meraki NAT is great, as soon as you have any additional requirements it becomes a bit of a hassle.

I typically use bridge mode and configure L3 firewall rules on the SSID to block access to RFC 1918 IP addresses, allowing only the shared resource clients need to access (Eg. printer/print server) and internet locations.