You need to plug the airport extreme into the cable modem directly (as
this seems to be set up), but then plug the meraki into the LAN side of
the airport.
There's no problem with using a switch between the airport and the cable
modem, it's just plugging other things into that switch that's not very
useful.
donald
You cannot plug both the Meraki and the AEBS into the cable modem. If
your AEBS only has one ethernet port, marked "WAN", then ... er, things
get interesting. If it has "LAN" ports, plug the meraki into one of them.
You or the TCL installer will have configured the AEBS with the static
IP TCL gave you, which is why it works despite TCL's cable network not
providing DHCP.
The DHCP feature of the cable modem is pretty much useless, ignore it :-)
donald
Then you're going to need a router to plug both the Meraki and the AEBS into...
In fact it should be possible to ssh into the meraki and add an extra
iptables rule to run on startup and make the meraki unable to talk to
the hosts on your LAN other than the router, but there's no guarantee
that'll keep working when the meraki upgrades itself.
The problem is that you want a fairly complex firewall setup, but are
using consumer equipment that doesn't support what you want without some
hacking.
donald
But for those not sufficiently skilled in the art, is is cheaper to
pay someone to hack it up for them, or to plonk down $45 on something
like this (assuming it will do it .. it does say DMZ in the blurb):
"DMZ" for most home-small-office routers usually means "redirect all
ports to this IP", which is not what Oliver wants in this case at all.
Yes, calling that feature "DMZ" is just plain wrong, but people seem to
do in anyway.
A reasonable number of community wifi projects seem capable of
attracting people who are sufficiently skilled in the art and happy to
do that sort of thing for free (well, the feature adding to open source
firmware in their copious free time, anyway). Without that, you're just
a bunch of guys hoping that meraki won't have some other drastic
sea-change in their business model that's incompatible with your {
goals, funding model, etc }.
But then I guess if meraki does actually support a protect-your-LAN
feature then there's no problem, this time.
donald
It's a setting in the Meraki control panel. See the bottom one here: