Client VPN routing question

SOLVED
StarZen
Here to help

Client VPN routing question

Trying to set up a client VPN to access my local resources when i am out of the office

 

in my office i have an MX (that is connected with our main office via site to site vpn)

 

behind the MX there is a Netgear ORBI and all my devices are connected either via ethernet or wifi to the ORBI

 

trying to figure out how this needs to be configured

 

the MX has a VLAN 192.168.128.0/24

the client VPN creates a VLAN 192.168.88.0/24

 

and then of course the ORBI has its own network 192.168.1.0/24

 

big question now is how to define the routing so i can access the devices on the ORBI when connected via client VPN

 

thanks for any pointers

 

1 ACCEPTED SOLUTION

so

MX static route to ORBI subnet should be

 

Subnet: 192.168.1.0/24
Next Hop: 192.168.128.3 (not 192.168.1.1)
VPN Enabled

 

and yes you should set 192.168.128.3 as a static ip

View solution in original post

17 REPLIES 17
Ryan_Miles
Meraki Employee
Meraki Employee

The client VPN subnet should be able to route to the other VLANs on the MX by default

At this time the MX doesnt know about the network on the ORBI . 

 

this is what i am trying to figure out. How do i tell the MX about the ORBIs network 

Oh, I assumed you meant you created a VLAN on the MX for the 192.168.1.0/24 network and they were physically connected. If not, sounds like you need to do that. Or, change the Orbi network to be on the .128 network.

 

Or, if you don't need the .128 network just edit it and make it the 192.168.1.0/24 subnet and connect your Orbi.

i tried that

 

when i add 192.168.1.0/24 as a VLAN and then try to use RDP on an IP it times out
also trying to open the ORBI gateway on 192.168.1.1 times out as well

in the route table i see

192.168.128.0/24     Default                          Local VLAN
192.168.1.0/24         Local                             Local VLAN
0.0.0.0/0                   Default WAN route        WAN uplink
192.168.88.0/24       Client VPN                    Client VPN



 

From your VPN client can you ping the gateway IPs like 192.168.128.1 & 192.168.1.x?

i can ping 192.168.128.1

any address in 192.168.1.x times out even .1 which is the orbi itself

 

one question. when adding the vlan what ip do i use for the MX IP?

It can be whatever you want/whatever isn't being used already.

ok thats what i thought. And that is the only address i can ping from the 192.168.1.x range

 

tried changing the MX to 192.168.1.0/24 

still no luck in pinging anything on that network except for the MX itself

Jeizzen
Getting noticed

Whether yo put your Orbi gear (never had to deal with that kind of device) in something like bridge mode, and MX gives DHCP to devices behind Orbi gear

 

Or

 

Create a transport subnet (ex 192.168.100.0/30) between MX interface and Orbi interface

Put 192.168.100.1 on MX interface facing Orbi

Put 192.168.100.2 on Orbi interface facing MX

 

Create a static route in MX:

to reach subnet 192.168.1.0 (Orbi), go to 192.168.100.2

 

Create a route in Orbi

to reach (whatever you need that is managed by MX), go to 192.168.100.1

 

 

you cannot have 192.168.1.1 on MX and Orbi

thanks i was thinking along those lines

so my MXs VLAN is 192.168.128.0/24 with a gateway of 192.168.128.1
my LAN on the ORBI is 192.168.1.0/24 with a gateway of 192.168.1.1


so enter a static route on the MX 
Subnet: 192.168.1.0/24
Next Hop: 192.168.1.1
VPN Enabled

and then on the ORBI a static route
Destination IP Address: 192.168.128.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.128.1

 

when i connect the vpn any address on 129.168.1.x goes to the MX web interface

what is the ip you have on the interface of the ORBI that is facing the MX interface

ORBI is set to DHCP from MX

current
192.168.128.3
255.255.255.0

i could set that to static of course

so

MX static route to ORBI subnet should be

 

Subnet: 192.168.1.0/24
Next Hop: 192.168.128.3 (not 192.168.1.1)
VPN Enabled

 

and yes you should set 192.168.128.3 as a static ip

I have this same scenario,  but I can't seem to get it to work - any help for me?

thanks so much. got it all working now

Jeizzen
Getting noticed

👍

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels