Problem using Meraki enterprise client VPN from macOS through Meraki Go guest or NAT network.


Problem using Meraki enterprise client VPN from macOS through Meraki Go guest or NAT network.

Posted this on Reddit and didn't receive any comments. I'm hoping someone can either offer some suggestions or help me understand what's happening. 


Original Reddit post...


With my old home routers I would use the guest network with my work MacBook running macOS Ventura. I would use the Meraki client VPN at work without issue. I set up my GX50 and GR12 the same way: Personal network and a guest network for my work computer.


First try working with the enterprise VPN on the guest network. Nope, that didn't work. My work computer could connect to the Meraki client VPN on the enterprise side, but couldn't contact anything within the company network. Doing ping tests I would see a message with each ping, "Communication prohibited by filter."


Changed it to a NAT network. Still not able to contact anything within the company network, but pings now simply fail with no response message in the pings. Even with the option to allow communication between devices enabled, no luck.


The only thing that works is to set the network to Bridged mode. This would give the SSID I intend to use for guest access the ability to access my personal network.


I looked for any filters that I could control or turn off but I don't see anything. I do not have the security subscription license. I'm wondering if bridge mode will be required to properly use my employer's VPN or if I'm just missing something in my Go settings that will allow it?



4 Replies 4
A model citizen

have you followed these instructions step by step...there are some specifcs for MacOS



Thank you for the suggestion! I looked at the linked documentation. This would apply if I were using the VPN to access my GX50 network, but in this case I'm behind my personal GX50 and connecting to my employer's Meraki Client VPN that runs on enterprise hardware (MX84 and MX450 appliances.) 


To refresh my memory of the setup routine, I built another network on my GX50 and set it to Guest mode. I came across the following prompt. (Screenshot.) Logically, this prevents guests from seeing internal class A, B, or C networks. I still don't find anywhere that I can control this myself, but what stumps me is that it's affecting the client VPN into another network. It's like the GX50 firewall somehow sees the VPN traffic trying to reach company resources. Ordinarily, I would think that a full tunnel VPN would not be filtered by my own firewall rules. I'll double-check the "Send all traffic over VPN" setting on the work computer, but still scratching my head.





Get notified when there are additional replies to this discussion.