Layer 2 (bridge) remote needs for WFH or other applications

Layer 2 (bridge) remote needs for WFH or other applications

I have been using the MR30H in a somewhat unique configuration for a while and thought I'd share the application to see if others have similar needs.  Most of you probably know the MR access points have a feature called Teleworker VPN that allows you to create a dynamic VPN tunnel to an MX and "bridge" that network remotely.  This is a cool feature and works great for wireless devices.  Unfortunately, not everything we use is wireless (I do believe it may be possible to use a MR in mesh mode and reuse a single ethernet port on it for this purpose but I've not tried that). 

If you need a solution for wired with more than 1 port (like I did/do) you might want to read the rest of this post.

 

My first application for this solution (wired / bridged Teleworker VPN) was a mobile food truck that we needed a cash register connected to a physical restaurant POS server but the register had to be on the same subnet as the POS server.  Even though the MR30H is an AP it also have 4 integrated switch ports.  You can assigned each of those to a VLAN and link that VLAN to an SSID (even if you aren't using WiFi at all - which in my case I'm not).  You can then use the MR configuration to create a Teleworker VPN tunnel to an MX at the site in question and tunnel that VLAN to the physical site.  In my design I'm doing this with 3 different VLANs (register, guest wifi and security camera).  This works from DHCP/BootP/, to ARP and right up the OSI model.  This was a requirement for our vendors application as well as a bonus to have a single MX firewall ruleset to manage and content filters to monitor.  Plus an MR30H is less expensive than an MX64 and it, unfortunately, cannot do L2 VPN.  Lastly, we paired this with a Cradlepoint device with dual, auto switching carriers to provide connectivity from all over Maui. Hi. area.

 

With COVID stay at home restrictions we had to move some or our retail lab out to employees homes.  Once again we had another scenario where for test applications and firewall rules (source IPs, L2 adjacency requirements, etc) this solution was our best option.

The only caveat to this design is you MUST have an MX in the VLAN you want to extend the L2 connectivity to.  

 

I wish Meraki would add this L2 functionality to MX devices too (future?)

Comments
PhilipDAth
Kind of a big deal

Wow, that is very creative and very usefull!

chiprs
Here to help

Nicely done!!!, Very creative

redsector
Head in the Cloud

This is what I was looking for!

Thank you👍