In networking, I find myself looking at certain features of wireless equipment and asking myself under what circumstance would I implement this feature for a customer. I try to come up with a list of Pros and Cons as to when it’s appropriate. One that popped up recently was NAT Mode / Meraki DHCP.
The features works like this: The Cisco Meraki AP functions like a router and creates a class A network (10.0.0.0/8) then takes each client for this SSID and hashes them into an address on this subnet and assigns them the address via DHCP. Then it takes these addresses and NATs them out to the Management IP of the AP. This enables the Meraki AP to do some things that it normally cannot do.
One of the features that is only available in this mode is basic adult content filtering which can be great for a public hotspot. It also allows for client isolation between clients on the same subnet, and by default does not allow clients access to the local LAN. Finally, it allows for the use of a wireless network where you don’t have VLAN capable switching and need to provide a segmented wireless network for something like guest wifi.
The idea behind the hashing is that if the client roams to another AP, it will hash the same and receive the same address. And from a basic Layer 3 connectivity perspective, this works. Clients roam between APs and they maintain the same IP Address. However, there is a serious downside associated to NAT Mode. If you guessed NAT, you win.
For those that know me, I’m no fan of NAT. It has it’s place, but keep it out of my WLAN. The reason that NAT mode is so detrimental is that is it breaks TCP sessions. When roaming from AP to AP, the NAT’d IP Address changes with each AP that you roam to.
Let’s exam what this looks like. Let’s take AP 1 with IP Address 192.168.0.101 and AP 2 with IP Address of 192.168.0.102.
From the clients perspective, it’s session to the web server hosting the file looks like 10.2.47.3:2222 > 184.108.40.206:443. Once this packet undergoes NAT, the packet that leaves the AP looks like 192.168.0.101:33333 > 220.127.116.11:443. The response traffic from the webserver looks like a mirror image of this: 18.104.22.168:443 > 192.168.0.101:3333. This download runs for a few seconds and the client roams to the AP 2. The clients IP stays the same, but the download times out?
The webserver is still sending packets destined to 192.168.0.101:33333, but this address resides on AP1 and the client is no longer there. The client just suddenly stop receiving packets from the webserver and the TCP session eventually tears down. If a new session is built, it will be from 192.168.0.102:44444, instead of 192.168.0.101:3333. While we didn’t have to do a complete IP Address change, we effectively broke all TCP sessions for the client. What advantage did you save over a hard roam and a new IP Address?
To Illustrate this, I setup 2 APs with an SSID with NAT Mode and opened a telnet session and ping going to a couple of devices. You can see that the ping recovers quickly, the next ICMP packet is sourced from the new address, while the telnet session just dies because it the client is no longer at that address/port.
So where should you use NAT Mode/Meraki DHCP?
It’s my opinion that NAT Mode should be used in very few locations.
Single AP deployments: Coffee Shop, Small Retail locations where you can’t roaNatm.
Multi-AP deployments: Places with low roaming, no roaming, fragmented SSIDs or user experience is not critical, network infrastructure doesn’t support multiple VLANs. I don’t suggest doing any of these.
Guest Access: Little to no roaming, or you don’t care that they have an impactful roam, places where you need adult content filters and the AP is the only possibility. Even the description of this feature screams “Guest” at me.
Where should you not use NAT Mode?
Any environment where you have roaming, latency sensitive applications, long running TCP sessions or VOIP and expect a good user experience.
Now to be frank, i don’t think you should design to use NAT Mode. It’s my hope that you have some sort of VLAN capable switch backing up your AP and that you can isolate networks at the Layer 3 boundary without relying on the AP to do NAT. Use Bridge Mode with VLAN segmentation on the network, or tunnel the data to a concentrator. Adult content filtering can be done cost effectively on a small firewall like a Meraki MX appliance.
Updated: In case you want to read more about these issues directly from the source, feel free to check out some of these links about NAT mode from Meraki.