Diagnose and fix common network problems
Paste your config and get instant analysis
Device gets DHCP but can't reach the web
Isolation rules not working as expected
External traffic not reaching internal server
New device stuck in pending state
Chromecast, AirPlay, Sonos not discovering
Created a rule but traffic still flows
Tagged, untagged, native, trunk... help!
Settings → Networks → [Your VLAN] → DHCP should be "DHCP Server"
The gateway should be the UniFi router's IP on that VLAN (usually .1)
Settings → Routing → Make sure no rules block this VLAN from WAN
Settings → Firewall & Security → Rules → Look for any "Drop" rules affecting this VLAN to WAN
Security & SD-WAN → Addressing & VLANs → Verify VLAN has correct subnet and DHCP range
Security & SD-WAN → SD-WAN & traffic shaping → Verify no rules blocking outbound
Security & SD-WAN → Firewall → Look for deny rules affecting the VLAN subnet
Security & SD-WAN → Appliance status → Check WAN uplink is healthy
Use the built-in packet capture tool at Network-wide → Packet capture to trace traffic flow.
If using a separate router, ensure the L3 switch has a route to the default gateway.
Create firewall rules to block inter-VLAN traffic:
Action: Drop | Source: [Guest VLAN] | Destination: All Private IPs (RFC1918)
Rule order matters! Drag block rule above any allow rules.
In Settings → Networks, enable "Isolate Network" for true client isolation.
Policy: Deny | Protocol: Any | Source: [VLAN subnet] | Destination: Local LAN
Network-wide → Group policies → Create policy with firewall rules
For wireless clients: Wireless → Access control → Client isolation will block client-to-client on same SSID.
Use ACLs on the SVI to control inter-VLAN traffic:
For complete isolation, consider using Private VLANs (PVLAN) with isolated/community ports.
Name it, set external port, internal IP, and internal port
Port forwards auto-create rules, but verify no conflicting DROP rules exist above it
Test from outside your network (mobile hotspot, or use online port checker)
Double NAT! If your UniFi is behind another router, forward ports on BOTH devices.
Set public port, LAN IP, local port, and allowed remote IPs (or "any")
Security & SD-WAN → Firewall → 1:1 NAT for full IP mapping
If using dual WAN, specify which uplink the port forward applies to.
Configure static NAT for port forwarding:
Verify NAT translations:
Hold reset button 10+ seconds until LED flashes
Device must be on same VLAN as controller, or have L3 adoption configured
UDP 10001 must not be blocked between device and controller
Organization → Inventory → Claim device (enter serial number)
Select device → Assign to network
Device needs HTTPS (443) outbound to Meraki cloud. Check firewall.
Device needs IP, gateway, and DNS to reach cloud
Connect to device directly and visit its local IP to see connectivity status.
For traditional CLI management:
For cloud-managed Catalyst, device needs HTTPS access to DNA Center and proper DHCP option 43 for PnP.
UniFi has a built-in mDNS reflector. No firewall rules needed.
Enable it and select which networks should share mDNS discovery.
Toggle on Bonjour forwarding
Specify which services (AirPlay, Chromecast, etc.) to forward between which VLANs
Configure mDNS gateway for cross-VLAN discovery:
Rules process top to bottom. First match wins. Move your rule up.
LAN In = traffic entering from LAN. LAN Out = traffic leaving to LAN. WAN In = from internet.
Default allow rule for established connections may be permitting return traffic.
Settings → Traffic & Security → Traffic Identification to see what's flowing
Rules are numbered and processed in order. Higher rules take precedence.
Network-wide → Event log → Filter by "Firewall" to see blocked/allowed traffic
L3 firewall = routed traffic. L7 firewall = application-level. Group policies = per-client.
ACLs have implicit "deny any" at the end. Make sure you have a permit statement for traffic you want to allow.
Native VLAN = your VLAN, Tagged VLANs = none. For PCs, printers.
Native VLAN = management, Tagged VLANs = all needed VLANs. For APs, downstream switches.
Devices → [Switch] → Ports → Select port → Apply profile
Type: Access, VLAN: [your VLAN]. Simple single-VLAN connection.
Type: Trunk, Allowed VLANs: all or specific list, Native VLAN: management
For phones: Set Type: Access, VLAN: data, Voice VLAN: voice. Meraki handles tagging.
Access Port:
Trunk Port:
Voice + Data:
Export from: Settings → Firewall & Security → Export (or copy from API)
Export from: Security & SD-WAN → Firewall → Download template (CSV)
Get from: show running-config | section access-list