Afternoon, all!
I came on here a few months ago asking some broad-strokes questions about the MX/Z3 appliances and got some great answers, so I’m back for more!
We ended up purchasing an MX100 to act as a VPN concentrator for remote sites and teleworkers. This device has been placed at our main site, behind our other primary firewalls. We also purchased some Z3 devices to distribute to teleworkers. What I’d like to get set up is a split tunnel, with support for a Cisco 8941 or similar phone and a computer on the Z3 side, tunneling back to our primary network. Teleworkers will need access to some 20-30 on-site VLANs.
I’ve gone through some basic configuration and done plenty of reading on here and on Meraki’s configuration articles (which are admittedly not super clear), and I’m a bit lost.
Currently, I have the MX100 configured in “VPN concentrator” deployment mode. In the site-to-site VPN settings, it’s configured as a “Hub”, and I’ve got the VLANs I’d like to access through the VPN entered in. BGP and OSPF are disabled. I have the Z3 configured in “Routed” deployment mode, with two VLANs configured for data and voice. In site-to-site VPN settings, it’s configured as a “Spoke”, with the local networks set up to participate in the VPN. The MX100 hub device is not configured as the default route. The two appliances are talking and registered to each other, NAT type is friendly, and there are no encryption issues based on the VPN status of both devices - everything appears to be working from a hardware perspective.
So the MX device that I added to our network is basically just going to function as a VPN concentrator for remote sites and teleworkers - static routing is being handled by the MS switches we have in place (this can be changed if absolutely necessary) and we have dedicated firewalls to handle security.
Is what I’m looking to accomplish here possible, and what am I missing in getting it working?
Sorry if I’ve read it wrong, but the end goal is split tunnel? That’s what you’ve got right now no? As you’re not receiving a default route from your hub, all internet bound traffic will break out locally, whilst specific routes advertised from the hub from your MX100 are being distributed to spokes, so internal traffic takes the tunnels
What’s your upstream Router of the MX100? Did you place a route from the Upstream Router pointing to the Subnets behind the AutoVPN on the MX100? I had this running (just with 8811 Phones) for a long time, it did worked very well.
That’s correct. I’ve made some progress by adding a static route at our core to route the remote subnet to the MX100, but it still doesn’t appear to be functioning as a split tunnel. “Some” progress is underselling it - nothing was working at all before - but it’s still not quite right.
For example, the teleworker isn’t able to hit their local printer on their personal network (192.168.1.1/24) when connected to the Z3, but they can hit the VLANs passed through the VPN from the MX100.
We’ve got MS switches in our core that are handling routing, and yes, I added a route for the subnets behind the Z3, pointing to the MX100. That was the missing piece in getting traffic flowing across - the phone is registered now and the client laptop is able to access the networks specified on the MX100.
Now the issue is getting them set up so that they can still access their local network devices, such as their printer.
There can be two reasons, first on the VPN end device are you telling the clients to use it as a default route, second is What OS are they running on the PC, if its Windows 10 then you need to enable split tunnelling.
Set-VpnConnection -Name “VPN1” -SplitTunneling $True
Then add a specific route for the destination network on the other side of the VPN
Add-VpnConnectionRoute -ConnectionName “VPN1” -DestinationPrefix 10.0.0.0/8
All traffic to 192.168.1.0/24 will then be deemed local and not route over the tunnel.
but you did not tick the default route in the VPN Settings on the Z3? The Clients “old” Networks are not within a route of the Upstream MX100? I did a test here, its like the MX/Z3 is blocking access to RFC1918 Adresses on the WAN Interface. I bet thats a security feature you need to have turned off by support.
So this isn’t something that can be controlled at the appliance-level?
Right now, I only have two VLANs built out on the Z3: one for voice, and one for data. Their laptop is assigned to a port tagged with the data VLAN. In site-to-site VPN settings, the “Default route” box for the Hub is not ticked. The Z3 is connected to their wireless router’s onboard switch, and their private network is 192.168.1.1/24.
I figured there’d be a way to tell the Z3 that traffic destined for 192.168.1.1/24 should be directed to the local gateway (192.168.1.1) rather than through the tunnel, but I believe what you’re saying is that I need to create a VPN tunnel on the client device to achieve this, which is surprising to me.
I did not tick “Default route”, no.
What’s weird is they can ping the private gateway (192.168.1.1) but not any devices on that network.
Hi, Apologies, I missed the part where you said you are using the Z3 on the client side to create the tunnel…I don’t know the Z3 devices but we use a similar setup using a MX250 in the Data Centre with PF Sense appliances at the client edge (home offices) then we just create a non-meraki VPN site to site. The PFS box routes local to local and anything destined to the tunnel is shipped off to the MX250 in the DC. If they cant hit their local devices then you need to look at routing on the Z3 devices.