How to allow traffic from VPN vlan to local vlans

Getting noticed

How to allow traffic from VPN vlan to local vlans



I have only recently succeeded in establishing a VPN connection from a client PC to my Meraki.


The specified vlan for the VPN is My clients have to access servers in my local vlans. These are and


Do I set this up under port forwarding or under the Firewall? Can you please show an example of how to do it properly?


Second question is there a way to give some clients access to one local vlan, but not the other and vice versa?

Kind of a big deal

You can restrict VPN clients access to local LAN servers by using L3 firewall rules.

See example 2 at the bottom of the following doc


As for your second question, it's only possible using Meraki group policies. You'll need to create two (or more) group policies with the applicable firewall rules. You'll then need to login to the VPN as the user so the client shows up in the dashboard, and then assign the policy to the client.

Not particularly elegant but it will work.

Sadly, group policies linked to AD groups isn't supported for users logging in via VPN.

Getting noticed

I don't understand. I don't want to restrict access. I want to allow it. How do I allow it?


I am now connected as When I ping I don't get a ping. When I try to access with my file explorer is cannot find that IP. How do I reach it?


I have added a rule to the Layer 3 firewall like this:


This does not help. I still cannot access

Kind of a big deal

Meraki VPN clients have access to all local subnets within the network by default.


Are you seeing an increase of hits on the deny all rule when running the test? What is the local IP (non-vpn) of your test machine?


You could try a Meraki packet capture to see if the ping packets are making it across the VPN.

Getting noticed

My laptop is on wifi at the moment to test VPN connectivity, here is the wifi and VPN IP's



I have (for now) changed the block rule to allow, for testing.




Kind of a big deal

Do you have a route on the MX for the network? (Security and SD-WAN -> Route table)

And similarly, do you have routes in the rest of your network to route back to the network via the MX?


Do you have any group policies set on the client you're testing from?

Getting noticed

I've not changed anything in the routing table, it is still on default settings and look like this:


I do have several Group policies setup and the laptop in question is configured for one of these policies. But I must add that the Group policies are assigned by MAC adress and as the VPN is not using the MAC address of the LAN port on the laptop, I'm not sure that the Meraki will identify the laptop correctly. That being said I'm not interested in using the internet throught the meraki. The laptop can use it's own local internet as long as I can access the LAN on my office network.




Well, I suggest you try putting the machine on the allowed group policy and test again, It's not a route problem and probably a rule on your group policies are blocking the connection.

I use MAC addresses to add clients to a Group Policy. The VPN connection does not have a MAC adress. How will I add a policy to it?

Has the client connected to VPN right? So you can add to a Group Policy.




Group Policies

It is possible to manually apply group policies to clients connected via client VPN. Group Policy applied to a client VPN user is associated with the username and not the device. Different devices that connect to client VPN with the same username will receive the same group policy. For more help on assigning or removing group policies applied to a client, refer to the Creating and Applying Group Policies document.

Note: It is not possible to assign group policies automatically once a user connects to client VPN.

Kind of a big deal

Is it a non-Meraki VPN point or Meraki VPN?


If it is a non-Meraki VPN point, does the point on the other end need to allow its local networks?


There is an example of the configuration between a Cisco ASA and an MX Meraki ( It's Just a example OK?).

So I am simulating a person working from home. That is a windows laptop on a home wifi using VPN to connect to the office MX64.


At the office they must, for example, be able to access the local NAS drive, Server1 or Another user must be able to access a SQL server located at


The VPN only assigns a subnet that is not the same as the local vlan's subnet and I cannot find a way to add more than one subnet to the VPN. So I don't know what to do to access the local subnet/vlan once looged in as a VPN user.


Maybe I'm missing something obvious, as everyone is telling me by default it is all accessible. However the method of accessing it eludes me.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.