General setup

SOLVED
Xydocq
A model citizen

General setup

I got myself a Meraki Go GX20. It was ment to replace one of my routers as security gateway. Currently I gave up on the initial setup and feel more like trowing it in the dumpster and forget about it, then going back and try again.

 

Anyway, I might give it another try if someone could give me some advice.

 

I use the modem/router I got from my ISP as modem. All traffic is set to be passtrough. The modem itself holds my guest-network. It gives them access to the internet but it's divided from my LAN.

 

The Meraki should allow me to create two VLAN. One VLAN is ment to be a "DMZ". It holds a small web-server and nothing else. The second VLAN leads to the LAN. All connections to that point are set to be static. The LAN is managed by another router with build in VPN-Server. So Meraki should forward web-requests to the web-server and VPN-requests to the LAN-Router.

 

I managed to do most of the setup but when I connected the LAN-router to the Meraki, all went south. The whole LAN was blocked from the internet no matter what I changed on the setup. Meraki didn't like it.

 

the setup in general looks like this: Modem (static IP) <-> 1st Gateway; Vlan1 10.10.0.1 <-> web-server 10.10.0.2 / Vlan2 10.10.1.1 <-> Lan-VPN-router 10.10.1.2 <-> Lan 10.10.10.0/24

 

Thanks

1 ACCEPTED SOLUTION
Xydocq
A model citizen

After some cups of coffee and a good night sleep I thought I might give the GX20 another try.

 

The earlier experience didn't really raise my expectation of a successful installation, but it finaly worked out the way I wanted it to be.

 

After the first try I deleted the GX20 from the app and tried to reset it to factory default. Surprisingly all the settings were still stored on the device. I can't really say what the difference was that made it finaly work. Like the day before I set the internet connection as static, hooked up the GX20 to the Internet and installed the app on my phone again. Then switched from the phone to the laptop and changed some of the port-settings to "Access" instead of "Trunk" and added the desired Vlan-number to the ports. Pretty painful, because I had to plug in the laptop to each port I wanted to change, gladly there are just 4. Maybe that did the trick for me. After doing that and connecting my lan-router to the GX20, internet access was possible also the VPN-connection came up immidietly. I was kinda shocked. It took 5 hours the day before and didn't work. After that I connected the web-server and it was online within a second.

 

WHY, WHY didn't it work the day before???

 

I still think that the general setup isn't made that easy. First you have to setup the internet-connection by accessing the GX20 over lan, then you have to switch to a mobile app to continue and are finaly able to access it over the cloud-based web-application. The UI itself is far from intuitive in my oppinion. Many compatitioners offer better UI, and a more intuitive way of setting it up.

 

I choose the GX20 because I was using Cisco-devices in the past and they worked as expected. How the setup went for me, the GX20 falls short on userfriendliness but I am willing to find out, if it will live up to the performance over time.

 

Just one last thing. Is there a way to add a firewall rule to block trafic vom VLAN1 to VLAN2 but allow it the other way around?

 

Thanks

View solution in original post

6 REPLIES 6
Xydocq
A model citizen

After some cups of coffee and a good night sleep I thought I might give the GX20 another try.

 

The earlier experience didn't really raise my expectation of a successful installation, but it finaly worked out the way I wanted it to be.

 

After the first try I deleted the GX20 from the app and tried to reset it to factory default. Surprisingly all the settings were still stored on the device. I can't really say what the difference was that made it finaly work. Like the day before I set the internet connection as static, hooked up the GX20 to the Internet and installed the app on my phone again. Then switched from the phone to the laptop and changed some of the port-settings to "Access" instead of "Trunk" and added the desired Vlan-number to the ports. Pretty painful, because I had to plug in the laptop to each port I wanted to change, gladly there are just 4. Maybe that did the trick for me. After doing that and connecting my lan-router to the GX20, internet access was possible also the VPN-connection came up immidietly. I was kinda shocked. It took 5 hours the day before and didn't work. After that I connected the web-server and it was online within a second.

 

WHY, WHY didn't it work the day before???

 

I still think that the general setup isn't made that easy. First you have to setup the internet-connection by accessing the GX20 over lan, then you have to switch to a mobile app to continue and are finaly able to access it over the cloud-based web-application. The UI itself is far from intuitive in my oppinion. Many compatitioners offer better UI, and a more intuitive way of setting it up.

 

I choose the GX20 because I was using Cisco-devices in the past and they worked as expected. How the setup went for me, the GX20 falls short on userfriendliness but I am willing to find out, if it will live up to the performance over time.

 

Just one last thing. Is there a way to add a firewall rule to block trafic vom VLAN1 to VLAN2 but allow it the other way around?

 

Thanks

hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Hey @Xydocq - I was perusing the community and found your story. Why did it not work the day before, indeed? I'm right there with you.

 

We have a very rare, and extremely hard to reproduce port configuration issue on the GX. We've yet to nab it and fix it. What I've seen happen only twice in several years is the ports can be set to drop untagged traffic on the GX LAN. I'm guessing you hit the lottery and encountered this problem, as evidenced by a port config change from Trunk to Access seemingly fixing the issue. I'm wondering if, indeed, that did do the trick.

 

I never have any luck causing this problem in my lab. I'd hate to put you through that pain again, but if you are able to reproduce that deployment failure we'd love to hear more about it via a support case opened from the app settings menu.

 

In regards to your question about firewall rules in one direction between two VLANS: currently this is a feature request. However, I'm happy to say it is on our roadmap to be able to set custom L3 firewall rules. You can't do it today, but hopefully you can sooner rather than later. Right now we have the "Secure" toggle on the VLAN which automatically writes L3 firewall rules on the firewall to block any traffic to/from that VLAN on the LAN.

Xydocq
A model citizen

Hello @hidden0 

 

Thank you for the information.

 

Not sure if I should be flattered to be the second one running into this problem. It seems I am somehow able to reproduce the error by simply changing some settings.

 

Support case will be 09400847. 

hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Thank you for following up, @Xydocq! I gave what knowledge I have to the support team. We appreciate your help, as well as shedding light on an issue that may impact more customers down the road.

Hi @Xydocq  thanks for pointing me to your story. I think I fall into this situation and am very close to figuring it out.  The only thing i havent figured out yet is two things. 
1. what do people mean by setting a static internet ip? Currently my firewall gets a public ip from my modem. What should it be set to if i change it to static?

2. What do you mean you had to plug your laptop into each of the four ports to configure them separately? I’m able to plug into one port and do a bunch of configurations for each of the other 3. All the ports viewed via the internal web app (http://setup.meraki.com/) look the exact same as what i see in the mobile app. 

thanks for helping me get this far. 

One thing that might help explain my situation better is I’m using an arris sb8200 which is strictly a modem and not a modem router combo. It essentially has zero configurability besides me setting the admin password.