No, i'll look into that when i get home but thank you for the suggestion as it wasn't something i had thought of at all.

Simon

I don't get Virgin TV, so I don't know how that will be handled by the MX.

One of the things BT has done right is to use multicast for BT TV channels. This requires a router/security appliance that can run an IGMP proxy, which the MX does not yet do, but the MS switches handle IGMPv3 already. My solution is to use a router that can be configured so that a STB/playout device can be connected to it, and be fully functional whilst everything else can be passed through unchanged to the MX.

I am very happy using a Vigor 130 modem (auto configures for UK ISPs) in PPPoE/PPPoA (Bridge) mode, But it doesn't get round the IGMP proxy issue.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

route <interface> 192.168.127.0 255.255.255.0 10.14.130.149

Hi DCooper,

We think there was a static route configured in the core switch somewhere that was causing problems for any 192.168 traffic so i've changed the home subnet to be 100.100.100.0 with an MX ip of 100.100.100.1.  The tracert from my machine to 100.100.100.1(ip of the MX at home) from my machine in the office now goes to 10.14.130.250 as the first hop, which is our gateway ip address to get to the internet, and then times out.   The bottom screenshot is what i've put in the ASA.

Ok, I'm a little confused now as to where the Layer 3 is setup on the work network. Does the core switch own the default gateways to all of the 192.168's? Then the core switch has a route up to the ASA?

We are fine on the remote network just need to get the routes figured out on the work side and this will start working.

is your work laptop and the servers connected behind the mx or on the local network?

why are you using the same subnets in the mx work vpn as on the lan?

try make a network drawing with routing included and share it.

Think i'm getting there, i'm in the process of learning the cisco side of it and we've got some old static routes from a previous network that were brought over.  I understand our network a lot better this morning than i did yesterday but what was essentially happening yesterday was, as i understand it now,

Client > Access Switch > Core Switch(Layer3) > ASA > Internet

I put the route in the ASA but it was getting stuck in the Core Switch so the ASA route wasn't doing anything.

I've put the static route in the Core Switch now and removed it from the ASA, so anything connecting to 100.100.100.0 network now goes

Client > Access Switch > Core Switch(Layer3) > Meraki (Office) > Meraki (Home - 100.100.100.0).

As it stands now, i can ping the Meraki (Home) from my work client but can't ping the laptop plugged into it.  I also can't ping the laptop at home either from the Meraki device at home so will look tonight when i'm back at home.  Thank you for your patience but think we're there.

Hi DCooper,

Thought i had managed to sort it but still struggling a bit and i'm sure it's a simple routing issue somewhere.  Below is an email i sent over to Meraki support this morning.

---

How it’s setup currently

Office: MX65W gets ip through DHCP, a gateway of 10.14.130.250 and the DNS servers from DHCP which is 10.14.130.1 and 10.100.0.3 (this is in the other main office)

Office: MX65W (10.14.130.149) > Access Switch > Core Switch (Layer 3) 10.14.130.250 > ASA 10.14.130.253 > Internet

Home: MX65W (100.100.100.1) > Virgin Router > Internet

There is a static route in the core switch which is 100.100.100.0 255.255.255.0 10.14.130.149, so any traffic going to that subnet is routed through the Meraki MX device in the office. 

The Site to Site VPN is reporting to by fine, the office MX65 can ping the internet and can ping 100.100.100.1 (Home MX) but not a laptop connected to the home MX which is 100.100.100.2.  The home MX can not ping the internet, client computers on the 10.14.130 range, any subnets outside of the main office so the 10.100.0.0 subnet, but can ping the servers on the 10.14.130 range, all devices on 10.13.130, all the VOIP handsets on the 10.17.130 range.  DNS is also not working at all so can’t ping host names from home. 

From a home laptop connected to the home MX, I was able to use things like Citrix and connect to servers in the office but again through IP and not hostname.  The DNS servers that are configured in DHCP on the home MX are 10.14.130.1, 10.100.0.3, and 8.8.8.8.  These DNS servers do show up in IPCONFIG on my home laptop.

---

End of email.

Since the email, i've made both MXs static and hard coded the ips and dns in, same settings on both, no difference at all.

Office MX

ip: 10.14.130.149

subnet: 255.255.255.0

gateway: 10.14.130.250

dns 1: 10.14.130.1 (DNS in the office)

dns 2: 8.8.8.8

Home MX

ip: 192.168.0.5

subnet: 255.255.255.0

gateway: 192.168.0.1

dns 1: 10.14.130.1 (DNS in the office)

dns 2: 8.8.8.8

The static routes in the Core switch at the office (Layer3) is

ip route 0.0.0.0 0.0.0.0 10.14.130.253
ip route 10.0.0.0 255.0.0.0 10.14.130.244
ip route 10.250.130.0 255.255.255.0 10.14.130.253
ip route 10.251.130.0 255.255.255.0 10.14.130.253
ip route 10.255.236.0 255.255.252.0 5.20.87.176
ip route 147.152.20.0 255.255.255.0 10.14.130.244
ip route 147.152.22.0 255.255.255.0 10.14.130.244
ip route 192.168.0.0 255.255.0.0 10.14.130.244

10.14.130.244 is the MPLS to our WAN. 10.14.130.253 is the ASA to the internet.  The main network for clients in the office is 10.14.130.0 which is VLAN14, the ip for vlan14 is 10.14.130.250 and when you telnet to that you get the core switch.

One of the things i tried lastnight was to put the Virgin Router into Modem mode, no difference at all.

i dont see your static route for 100.100.100.0

Doesn't show up when i did show config but just done a show ip route and the below came up.

OP-CORE-SW-01-CO#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.14.130.253 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.14.130.253
10.0.0.0/8 is variably subnetted, 18 subnets, 3 masks
S 10.0.0.0/8 [1/0] via 10.14.130.244
C 10.13.130.0/24 is directly connected, Vlan13
L 10.13.130.249/32 is directly connected, Vlan13
C 10.14.100.0/24 is directly connected, Vlan303
L 10.14.100.254/32 is directly connected, Vlan303
C 10.14.130.0/24 is directly connected, Vlan14
L 10.14.130.249/32 is directly connected, Vlan14
L 10.14.130.250/32 is directly connected, Vlan14
C 10.14.140.0/24 is directly connected, Vlan140
--More--  L 10.14.140.1/32 is directly connected, Vlan140
C 10.15.130.0/24 is directly connected, Vlan15
L 10.15.130.1/32 is directly connected, Vlan15
C 10.16.130.0/24 is directly connected, Vlan300
L 10.16.130.254/32 is directly connected, Vlan300
C 10.17.130.0/24 is directly connected, Vlan302
L 10.17.130.254/32 is directly connected, Vlan302
S 10.250.130.0/24 [1/0] via 10.14.130.253
S 10.251.130.0/24 [1/0] via 10.14.130.253
100.0.0.0/24 is subnetted, 1 subnets
S 100.100.100.0 [1/0] via 10.14.130.149
147.152.0.0/24 is subnetted, 2 subnets
S 147.152.20.0 [1/0] via 10.14.130.244
S 147.152.22.0 [1/0] via 10.14.130.244
S 192.168.0.0/16 [1/0] via 10.14.130.244

Just a quick update, having a static route back into the ASA, as well as the Core switch, and i can now ping the internet from the home MX which is another step forward.  I still can't connect to the home laptop though that is connected.  The thing i find strange is that when i go into the Tools part of Appliance Status for the home MX, i can't ping the laptop which is 100.100.100.2.  If i click on the laptop in clients and ping from there, it pigns fine with a latency of 1ms

Did you add any routes into the MX to point to your other networks? Anything that says “directly connected”  other than the subnet the MX is on needs to be added to the MX to point back to the L3 switch.

Are you doing full tunnel VPN? In the spoke VPN settings the default route checked? If so my config above needs some tweaking. 

On the Office MX -

Site to Site VPN

Type - Hub

Local Networks - 10.0.0.0/8 (this will cover all off our offices and their subnets)

NAT Traversal - Automatic

Remote VPN participants - Hemswell (this is the home MX) with a subnet of 100.100.100.0/24

Under Route Table, there is 1 subnet of 100.100.100.0/24 via VPN peer: Hemswell

On the home MX-

Site to Site VPN

Type - Spoke

Hubs - Office - appliance and Default Route is ticked.

Local networks - 100.100.100.0/24 and use VPN is yes

NAT Traversal - Automatic

Remote VPN participants - Office - appliciance with subnet of 10.0.0.0/8

Under route table - 100.100.100.0/24 via local LAN, 0.0.0.0/0 via 2 routes, 10.0.0.0/8 via vpn peer: office - appliance.

edit: Just a quick edit to say that under route table, everything has a green status.

Can you PM me your serial number of the device so I can take a look? I want to make sure I’m giving you the right configuration change. My assumption is that we need to add in a default route 0.0.0.0/0 back out of the LAN side pointing to your L3 switch as the next hop. Just want to confirm that by looking at the setup in Dashboard.

Add this route in on the L3 switch and you should be good to go.

ip route 100.100.100.0 255.255.255.0 10.14.130.149

Any new remote MX's or subnet/VLANs you configure will need a route on your L3 switch pointing back to the MX-10.14.130.149

Already done that a couple of days back i'm afraid :).  I added it back into the asa as well which resolved the internet dns issue and i was able to rdp from the home laptop to my work computer via ip, still can't ping any hostnames on the 10.14.130.0 network but am able to ping hostnames on the 10.13.130 and 10.16.130 network so definitely a routing issue somewhere in the core switch. That is the final thing to get working, oh and i still can't connect or ping from the office network to anything on the home network apart from the home mx.  The voip handset as well is really struggling presumably because QOS isn't turned on.

if you can't ping from the home MX to the home laptop you should check if the home laptop(laptop firewall) is not blocking the ICMP.

On the ASA, there is a static route -

Inside - 100.100.100.0 255.255.255.0 10.14.130.149

On the Layer3 Core switch, when doing a 'show ip route', i get

100.0.0.0/24 is subnetted, 1 subnets
S 100.100.100.0 [1/0] via 10.14.130.149

When doing a tracert from my computer to 100.100.100.1, i get:

10.14.130.250 - Core Switch

10.14.130.149 - Office MX

100.100.100.1 - Home MX

When doing a tracert from my computer to 100.100.100.2, i get:

10.14.130.250

10.14.130.149

Times out.

When doing a tracert from the Meraki dashboard on the home MX to 10.14.130.1, which is the office DNS.  It jumps to 192.168.0.1 as the first hop and then times out.  Not sure if that's right or if it should jump straight from 100.100.100.1 to 10.14.130.149 for the first hop?  I've checked all security and firewall settings on the home router and everything is turned off, i've also put the meraki switch in a DMZ as well and didn't change anything.

So a couple of things.

1. On the Openfield VPN Settings please remove the Local networks information you have put in there. 10.0.0.0/8. You don't need that information in there because you have the checkmark checked on the remote site for a full tunnel VPN. So no matter what for that remote site it is sending traffic back via a full tunnel VPN regardless of that setting. That setting is only for split-tunnel modes for remote sites to tell them what subnets reside back at your headend.

2. Make sure your PC is NOT connected to the wifi, it looks to be connected wired. If it is, which I suspect, it will respond to the wireless Gateway as opposed to the MX for any traffic that isn't on it's L2 segment.

Happy to report everything is now running happily.  A few issues with a couple of firewalls, both the Windows and the Kaspersky firewalls we have and a couple of static routes needed putting in but everything is now working fine.

I tried a VOIP phone from home and it would register but as soon as i tried to log into the VOIP phone, it struggled to do anything but that's something i'll investigate another time.

Reading up, it's looking like the best setup for us, with the home users and the small branch office with ADSL is to setup Z1s and Z3s instead of MXs.  With about 5 of the Z series that we'll roll out to people,  covering between 5-10 clients, is it worth having anything other than an MX64 in our server room here?

@SimonReach

Glad to hear everything is getting sorted out.

I would observe that the Z1 only does IEEE 802.11n and that both the Z1 and the Z3 only offer the Enterprise Security option, not the Advanced.

Personally, I would choose the Z3 over the Z1. For a modem I find the Draytek Vigor 130 to have good throughput and the ability to configure itself to suit the different UK ISPs.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel