Port communication between VLANs

SOLVED
NickKova
Here to help

Port communication between VLANs

Hi guys, 

 

I am first time posting, since I have odd issue so I would like if someome could please help. I would really appreciate, as I am out of solutions. Have Meraki MX appliance and 2 VLANs, first: 172.16.16.0/24 and second: 10.0. 0.0/24. Have camera surveillance server Exacqvision, in second VLAN,with IP 10.0.0.9, and 2 ports, web access port 8081 for web acces to server and cameras, and 22609 port for client app. All computers in second VLAN can use web and desktop app to access cameras on both ports, either via web, or using app. But computers in first VLAN can only use web access via port 8081 as it works without issues, but not through app, as app requires to work over port 22609, but it is not working accross from second VLAN to the first VLAN. I tried adding firewall rule to allow any ip any port from first VLAN to server IP and port 22609 in second VLAN, but it is not working. App says "can not find server, blocked by firewal or router". Can someone maybe help with advice, I would really appreciate. Thank you.

1 ACCEPTED SOLUTION
NickKova
Here to help

Hey guys just to let you know, issue has been resolved. You helped me tremendously. While I was slowly analyzing packets from .pcap file, I have noticed that TCP conversation was always incomplete, and (so stupid of me did not check this before, but I guess you sometimes miss the trees while looking into the woods 🙂 ) did not look at the Layer7 firewall rules on Meraki. It looked like app requested P2P to be allowed, so once I enabled P2P traffic, app started working. Thank you all for joining in this topic and for your help. Best whishes for all of you guys!!!

View solution in original post

17 REPLIES 17
alemabrahao
Kind of a big deal

I have never worked with this system, but in some surveillance systems it is necessary to configure IP ranges that are allowed to access the system, have you checked It? It looks like a system issue, not an MX issue.

You can perform a packet capture on the server too.

NickKova
Here to help

Thank you very much alemabrahao. When you say packet capture, do you mean like I use wireshark, and install on the server? 

Yes, but you can perform a packet capture on Meraki dashboard. Do you know how to do this?

 

alemabrahao_0-1664040904752.png

 

cmr
Kind of a big deal
Kind of a big deal

From the second vlan can you ping the CCTV server in the other vlan?

Thank you. Yes i can ping server. What troubles me is that inter VLAN connection works on port 8081, that is reserved for web service. Also, in servers VLAN, all computers can use both ports for access, 8081, and app port 22609.It is just that somehow 22609 is not available from other VLAN. I can ping server from any VLAN. 8081 web access works from any VLAN. People are used to app, so that is why I am looking for solution. 

cmr
Kind of a big deal
Kind of a big deal

Is the port 22609 traffic unicast, or multicast?  If the latter, thst could be the problem, do you have a managed switch available? 

Yes, I have Unifi switch. 

cmr
Kind of a big deal
Kind of a big deal

Are you able to enable an IGMP querier (or similar) in the CCTV VLAN on the Ubiquiti switch? 

I can try enabling IGMP for second VLAN

3b8504f7-6beb-4ebf-a87c-5c831618c196.png

 (never mind IP shown in pic, I just downloaded pic) 

@NickKova 

 

Can you provide more detail about your network? Like a topology or something like that. I'm confused now, because I noticed that the IP ranges is not the same that you described when you started the topic.

Screenshot 2022-09-26 080541.png

Screenshot 2022-09-26 080834.png

 Topology consists of one Unifi 16port switch, Meraki MX appliance, with 2 setup VLANs. I tried with enabling IGMP snooping on 10.0.0.0/24 network, same result. Picture I posted for IGMP was just downloaded from internet, so just to clarify, 2 VLANs are 172.16.20.0/24 and 10.0.0.0/24. CCTV server resides on second VLAN (I am really sorry if I made confusion for you guys with that picture - also I noticed I mistyped in first post network details regarding first VLAN - it is 172.16.20.0/24). Devices from first VLAN can ping devices on second VLAN, and can access web service for CCTV server at 10.0.0.9:8081 without problems. It is just the app that uses 22609 port and it is not working. 

Screenshot 2022-09-26 084115.png

Also forgot to mention, on servers Win firewall, port 22609 is allowed for inbound as TCP and UDP, with allowed edge traversal. 

Have you tried to disable Windows firewall? Just for test.

Yes, tried that too, still the same. 

NickKova
Here to help

Hey guys just to let you know, issue has been resolved. You helped me tremendously. While I was slowly analyzing packets from .pcap file, I have noticed that TCP conversation was always incomplete, and (so stupid of me did not check this before, but I guess you sometimes miss the trees while looking into the woods 🙂 ) did not look at the Layer7 firewall rules on Meraki. It looked like app requested P2P to be allowed, so once I enabled P2P traffic, app started working. Thank you all for joining in this topic and for your help. Best whishes for all of you guys!!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.