I have a MX64 and a Z3 Teleworker.
 

My network is configured as a Windows 2016 server that handles DHCP Server and Active Directory.  On my network I have another server that runs our ERP software, which communicates on Port 9540.

The workstations on the network have the ERP desktop client, which points to the server by WINS name \\ERP01 and port 9540.  

This works fine internally on ethernet or wifi when on HQ site where MX64 is setup.  

 My setup is like so:

The MX64 does not hand out any IP Addresses, it is in Passthrough Mode, since my Win2016 Server Domain Controller (192.168.0.254) handles DHCP and Users in Active Directory.  

But the Z3 does have DHCP enabled, and hands out 192.168.128.0/24 addresses.






At this time, I have successfully setup the MX64 to connect and work with Client-VPN where it authenticates with my LDAP.  The local DHCP is 192.168.0.0/24 and my Client VPN is 192.168.1.0/24 subnet.  It works, the client vpn allows users to connect because I have the WINS server setup in the settings (VPN IPv4 and NETbios enabled settings) to point to 192.168.0.254 (my domain controller).  So my ERP client software does indeed connect using UNC \\ERP01 and port 9540

What I want to do is setup Site-to-Site VPN with the Teleworker Z3 device.  But I run into issues that stop it from working altogether, and I don't understand what is preventing traffic from passing correctly.

I have reached out to Meraki support but they were not very helpful.  They suggested that I use NAT mode, which I tried.  That connected the two devices over VPN, but then both the MX64 and Z3 stopped passing all traffic.  So that took down the internet completely at both sites.  So then I tried Passthrough setup, which says I have to setup a subnet for the VPN.  I set that one as 192.168.2.0/24 and it connected, but would not allow the Z3 to map to any resources on the MX64 side.  I could not find any documentation on the way I need to setup the Z3 or MX64 that will translate any traffic from the workstation to the HQ network to allow a computer to network authentication, or file sharing.

I have made sure there are no firewall settings that block file sharing or networking ports on either device.  

I am unsure if I should be setting any additional settings on the workstation to search for a WINS server through the VPN connection, like 192.168.0.254 (my domain controller).  I am also unsure how to do bridging, if necessary, to handle the site-to-site vpn.  It's mentioned in a couple articles on the Meraki KB, but it's not an option in my dashboard.  I have tried this in modes where MX64 is HUB, and Z3 is HUB or Spoke.  Preferably Z3 should be SPOKE, but both setups has always led to the same issue.  Cannot ping 192.168.0.254, but VPN is connected.  The workstation on the Z3 side is part of the MX64 (HQ) domain.  It is authenticated, and connects fine using the Meraki Client VPN.  It's only the Site-to-Site VPN that does not work.  The idea of this setup is to give the Z3 to a traveling user who will connect to Hotel Internet, use Cellular Hotspot USB, and connect at home - allowing them to securely connect and use the ERP software which requires PCI-DSS compliance.

Here are the articles I have read and tried:
https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings
https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Resolving_NAT_Mode_and_Site-to-si...

I'm hoping someone else has a setup similar to mine, or can point me to a correct guide that sets this up right.  All the videos I've seen on youtube are demonstrations of the old Dashboard.  They show how to get the VPN connected, but never how to test and makes sure traffic passes over it.  Your help is greatly appreciated in advance.

EDIT: SOLVED - Look at my last post to see the screenshots of my final setup that got this working.