Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Port forward to a VLAN not working

Chazz
Just browsing
‎Jul 14 2021 1:21 PM
‎Jul 14 2021 1:21 PM

Port forward to a VLAN not working

I have an MX84 set up with 4 VLANs: #1 for management, 10 "private" for wired hardware, 50 "guest" for the wireless guest network, and 75 for the "dmz" VOIP phones. Each VLAN has a disjoint range of IP addresses and its own DHCP server. There are firewall rules in the Meraki that prevent packets from traversing from one VLAN to another; the VLANs are set up by hardware port. What I want to do is connect an SSH session from outside to a specific machine on the private VLAN, and I set up a port forward to do that: TCP and UDP packets from my address and port 22 are forwarded to the specific machine I want to connect to, also port 22. The problem is that they don't seem to get there. I'm unsure how to tag a session as belonging to VLAN 10 from outside, but the target machine is in VLAN 10 and I am specifying its address. I believe the modem in front of the Meraki is transparent; the Meraki's external IP is routable, and I do have control over its settings from outside.

 

Any suggestion as to what I might be overlooking?

0 Kudos
Subscribe
9 Replies 9
ww
Kind of a big deal
Kind of a big deal
‎Jul 14 2021 1:39 PM
‎Jul 14 2021 1:39 PM

Can you post a picture of the port forward config.

 

And what is the "specific machine" ip address?

 

Are you testing  from another public ip address/location?

 

0 Kudos
Subscribe
In response to ww
Chazz
Just browsing
‎Jul 14 2021 1:53 PM
‎Jul 14 2021 1:53 PM

I don't know if I can, I may be too new here to include files. But if it works, here's the forwarding rules:

merakirules.png

The IP ranges for the VLANs are 192.168.100.0/24 for VLAN 1 (Management), 10.3.1.1/24 for VLAN 10 (Private), 192.168.50.0/23 for 50 (Guest), and 192.168.75.0/24 for 15 (DMZ / Phones). As you can see, the specific address I'm trying to connect to is 10.3.1.107, in VLAN 10. My current address is in the image, and while I don't really want to reveal my client's IP, they're a 70.x.x.x address, so I am trying to connect from an outside address.

0 Kudos
Subscribe
In response to Chazz
ww
Kind of a big deal
Kind of a big deal
‎Jul 14 2021 2:27 PM
‎Jul 14 2021 2:27 PM

I would start a packet capture on the wan port. With filter "port 22"   Then try to connect the ssh session. And see it the packets arrive. 

 

 

If they do, start same kind of capture on the lan side. To see packets are send to 10.3.1.107

0 Kudos
Subscribe
In response to ww
Chazz
Just browsing
‎Jul 14 2021 2:47 PM
‎Jul 14 2021 2:47 PM

It it possible to tell an MX84 (firmware 14.34) to capture WAN packets? I mean, I can pull up a copy of Wireshark, but then I have to disrupt the client's internet while I patch that machine in... makes things a whole lot easier if I can just tell the appliance to show me those packets.

0 Kudos
Subscribe
In response to ww
Chazz
Just browsing
‎Jul 14 2021 2:59 PM
‎Jul 14 2021 2:59 PM

Alas, I don't have that option. Under Network-wide / Monitor, I have only Clients, Summary Report, and Map & Floor Plans.

0 Kudos
Subscribe
In response to Chazz
cmr
Kind of a big deal
Kind of a big deal
‎Jul 14 2021 3:12 PM
‎Jul 14 2021 3:12 PM

@Chazz you don't appear to have full admin access, you'll need that for packet capture.  Also 14.34 is a rather old firmware, the 14 release train is on .56 and there are 15.x, 16.x and even 17.x release trains in production use right now.

0 Kudos
Subscribe
In response to cmr
Chazz
Just browsing
‎Jul 14 2021 3:21 PM
‎Jul 14 2021 3:21 PM

So I am somewhat screwed then, I guess. The Meraki is owned by our ISP and that's all the access we have; I don't know even if I can trigger a firmware update at this point, not being admin.

 

For what it's worth, I've set up port forwarding with other firewalls, and it has just worked; I can SSH into a number of different systems from here, so I know that my end of the setup is functional. And I've connected via SSH from in house, from a machine connected to the wired private network. It's only traversing the Meraki that is being problematic.

 

I guess I have to go pay the ISP for a TS call on this now...

0 Kudos
Subscribe
In response to Chazz
cmr
Kind of a big deal
Kind of a big deal
‎Jul 14 2021 3:33 PM
‎Jul 14 2021 3:33 PM

@Chazz I'd log it as a fault - the firmware you are on is unsupported by Meraki (their support would ask you to upgrade it as a first task) and you appear to have configured the MX rule correctly.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.