Firewall settings for guest network to enable VPN access to Meraki MX

WifiCable
Conversationalist

Firewall settings for guest network to enable VPN access to Meraki MX

We are currently migrating our network to Meraki.

We have several network segments (different vlans) at our location including one for guests.

This network is isolated from the other networks, only internet access is enabled.

I've done this in the firewall like this:

 

deny any protocol source any port <corp-nw> destination any protocol <guest-nw>

deny any protocol source any port <guest-nw> destination any protocol <corp-nw>

allow any protocol source any port <guest-nw> destination any portocol any destination

 

That works so far.

When I'm connected to the guest Network, I cannot establish a VPN connection to our Meraki Gateway.

 

I think I have to create a rule to allow that connection... Can anyone tell me how?

5 REPLIES 5
MarcP
Kind of a big deal

Wireless - Firewall - Deny local LAN , for your Guest Wifi?

 

2019-04-17 14_51_12-Firewall & traffic shaping - Meraki Dashboard.png

WifiCable
Conversationalist

I tried a little more. Port forwarding is working, sorry for that. I have only problems with VPN.

 

As I wrote the network seperation is not the problem. Also VPN from outside to corp lan works fine.

 

The problem is that I cannot establish this VPN connection when I'm inside the (local, Meraci-managed) guest network.

 

PhilipDAth
Kind of a big deal

I would doubt that you could VPN in from inside of the MX to the outside of the MX.  I don't think this is a valid config.

Sure, from the network state it's not the best.

 

We have a larger number of mobile devices that connect to foreign public networks and our local guest network.

It would be helpful if the connection could work the same way.

I have setup VPNs on several firewalls and find that most cannot connect to the VPN from the LAN side.

 

I also have setup Routing and Remote Access on different Windows severs.  With that config, users could connect to the VPN from the LAN.

 

A different way to accomplish a Guest Network that has managed access to the LAN, would be to setup an Employee Guest SSID that uses RADIUS to your server for authentication. 

 

Dave Anderson
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels