I need unfiltered WAN access to a device inside my Network. By default any router has a stateful firewall that keeps inbound connections from getting into the LAN from the WAN. This is why I need a DMZ. A simple VLAN doesn't accomplish this. Also I can't do port forwarding because no one knows the ports on which the FIOS router operates on. I've spent a lot of time on DSL reports to try and find out without luck. 

 

We have a lot of clients with Meraki MXs in their homes. The only way to get remote DVR to work is to put the Verizon router in front of the MX and then inside the Verizon GUI place the MX in their DMZ so we have full access to the MX from the WAN side (Site to Site and Client VPN only work if the MX is placed in the Verizon DMZ).

 

I don't like the Verizon FIOS router in front of the MX because it's unreliable. I've had to go onsite and reboot a few of them from time to time. Also if the Verizon router gets an update that wipes the settings the MX VPN features stop working. 

 

I've tried to reach out to Verizon about this but all they tell me is their Remote DVR only works if their router is the gateway to the WAN. 

 

I have read that their might be a way to do it through MAC address spoofing but this is another feature that basic off the shelf routers have that Meraki MX doesn't have. 

To get to the bottom of how the Verizon setup plays with 3rd party kit - look around the forums where this information is explained. They will explain how to configure everything.

 

 

First I’d like to thank you for the reply, I have seen the guide on DSL reports but the only solution to this problem involved MAC address Spoofing which Meraki is incapable of. But there seems to be some more recent posts about this subject that I haven’t seen. So I’ll go through those.

Skimming through the posts I see a lot of Port Forwarding trial and error stuff that has to be done on my part. A simple DMZ would resolve this. But how to set up a DMZ without an additional static IP?

@trunolimit

 

At present there are certain things which the MX does not handle, but free (ISP supplied) routers do handle. There are also some eminently affordable and capable devices (routers and security gateways) that can be used with the MX to correctly distribute the services the ISP provides.

 

In my case, I put a BrandX security gateway ahead of the MX. This started off as a way of getting around the reality that there are certain flavours of SSM (source specific multicast) that the MX makes no attempt to handle, although the switch handles it fine. Very quickly I realised that splitting the local network into 2 distinct LANs gave me some real benefits.

 

All the doubtful kit (wireless speakers, HVAC control, smart TVs, smart home paraphernalia, Chromecast, Alexa, light bulbs) communicates via the dodgy doofa LAN, and the secure stuff sits behind the MX. The MX connects to the ISP through a port on the BrandX gateway. I have the choice of either having the MX handle NAT for its own dependent clients and specifying that the traffic from that port is not NATted when routed out the WAN port, or letting BrandX do all the NATting. At the moment I have the MX doing the NATing. I need to avoid double-NATting.

 

For services such as Chromecast and Bonjour, carefully configured VLANs allow access from a secure network hosted wireless client to a Chromecast capable device on the dodgy network, so music plays, or whatever, and once it has started, the device on the secure network can disconnect.

 

Much as we might like to, we cannot ignore the smart gadget phenomenon. I discovered, by accident, that "smart" light bulbs exist; I can't imagine there is a property manager out there who isn't attracted by that sort of capability. One of the problems is that the people who make speakers and bathroom scales and such are not interested in the security implications of networking. So better to put all that stuff in purdah and keep them away from what matters.

 

I have secure network devices that interact with the dodgy doofa kit by HDMI 2 alone, It works fine, we have large monitors that cope with this seamlessly. If I wanted to, and I don't, I could route the SSM link to a playout attached to the secure network.

 

Keeping the sheep from the goats is a good idea.

IoT is going to be if not already the bane of our existence. Right now there are 2 types of IoTs. The ones that are strictly cloud based, the client talks to the cloud which in turn talks to the IoT and vice versa. Then you've got the IoT stuff that communicates on the local LAN so you're kind of stuck if the IoT device relies on layer 2 communications. So far most of the IoT stuff I encountered doesn't need to be on the same LAN except for the Bonjoure stuff. Interestingly enough I just learned that apple devices use bluetooth to take care of what Bonjoure is supposed to do. 

 

I had an installation where unbeknownst to me the client installed an Apple TV and placed it on the guest SSID. The guest SSID is set up so no one can see each other. I was freaked out when I saw that Airplay worked on the Guest wifi.  After a lot of poking around I turned off bluetooth on my MacBook and saw that airplay no longer worked. 

 

I a bit confused about your set up. How do you avoid double NAT with the BrandX gateway in front of the MX. I adamantly don't know what a brandx gateway even is.  

---

@trunolimitwrote:

 

 

I a bit confused about your set up. How do you avoid double NAT with the BrandX gateway in front of the MX. I adamantly don't know what a brandx gateway even is.  

---

The BrandX gateway conveniently allows NAT to be configured on a per-port basis, so the MX uplinks to LAN2 which has NAT disabled.

 

A BrandX  gateway is a security gateway from a brand that is not Meraki (or Cisco). I had some of their kit sitting in the chuck shed so I dusted it off and discovered that it appears to solve a problem common to many Meraki users in Europe and East Asia, where, unlike the US, SSM is commonly used by network providers. SSM is used by some US ISPs but less commonly than elsewhere.

 

I only mention BrandX because it solves a specific problem, multicast and the avoidance of double NATting, which, at the moment, Meraki has no solution to.  The ability to keep the insecure devices even further removed from the secure parts of the network is a bonus. The component cost is slight, but not everything can be done with a GUI, which isn't for everybody.

 

 

My use case in nothing as serious as a server. If it were I'd just have the clients pay for a public IP and be done with it. Actually one of our clients did just that. It was an office that had Verizon FIOS installed. The FIOS boxes don't like to be behind another router. Remote DVR, TV guide, and on demand videos don't work if the FIOS router is not installed. TV guide and VoD can easily be fixed by using a MoCA adapter or simply putting the FIOS router on its own VLAN behind the MX

However, the remote DVR services only work if the FIOS router is on the WAN unfiltered.

I will look into using DDNS as you suggested but I was under the impression that you could only use IP numbers in the DMZ section on the dashboard, not URLs.

maybe explain to me exactly how to use DDNS to build a DMZ, Please.