Thank you for replying. It doesn't, but as I said, I assumed that once connected, the upstream firewall was effectively bypassed. I'm obviously confused about this. Should this rule be incoming or outgoing? What source or destination? I have a general web access rule for the LAN, which I've expanded to include the VPN subnet, but the LAN subnet isn't mentioned in any other rule.

I feel stupid, because you've made me realise I never looked at Help -> Firewall info whilst in passthrough mode.

I dont really understand how your setup was before. Because moving from mx in routed mode to passthrough you lose all vlans and routing the the mx. Only the wan1 interface can do some routing.

So you would need to set a route for the vpn subnet to that wan1 interface address

https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian...

The setup is (to me) simple. A client on the internet connects to the MX Client VPN to use resources on the LAN. Previously the MX was the router/gateway/firewall. Now the connection comes through a Firewall (now the gateway for the LAN) which has rules to direct VPN (UDP 500,4500) traffic to the MX, and the connection is made succesfully, but with no ability to ping any device, internal or external.

Because these connections are inbound, and have already made it past the firewall, I don't understand why I'd need to include any more firewall rules. The VPN subnet has rules to allow external access, but even without this, I should be able to ping, eg. the MX when connected to the VPN, shouldn't I? I can't.

If I need to add a static route to enable the VPN traffic to get to those devices, where do I add it? I can't do this on the MX in passthrough mode.

I've managed to fit in a test this morning, and couldn't get a connected VPN to register any data on the MX packet capture tool. The Help -> Firewall info page didn't show me any firewall rules that I don't already have in place.

I think that the step I'm missing is static routing on the Fortigate, that would normally be handled by the MX in routed mode. Does this sound right?

Yes, you need to add a static route on the fortigate. Like:  route <client vpn subnet> <meraki mx ip>

Again, thanks for clarifying this. Unfortunately I couldn't add a static route to the MX (10.222.0.255). The Fortigate said it would be unreachable, as it wasn't in the subnet of the LAN interface (198.18.209.107/29).

I tried adding policy routes instead for the Client VPN subnet; one on the LAN interface for LAN traffic to the LAN subnet, and one on the WAN interface for 0.0.0.0/0 for internet. I was then unable to connect to the VPN at all. The MX event log showed an incoming connection, but I think it was unable to relay anything back to the client to confirm.

I really am in the dark, and the ISP support is not responding at the moment. The Fortigate logs show nothing at all; I think they've been disabled by the ISP.

The MX and the Fortigate MUST share at least one subnet in common - otherwise how is the MX getting to the Internet?  Whatever that IP address is on the MX - the static route needs to be via that.

Whatever is the default gateway for the MX400 will need a route for the client VPN pointing to the MX.

If that happens to be the other firewall, then it may also need firewall rules to allow the traffic in and out the same interface (not enough information to give an answer here).

Check what the firewall says it is blocking.