Meraki

Community

Subnet exception to VPN tunnel (for home printers)

Aaron_Wilson
A model citizen
‎Jul 20 2019 7:59 PM
‎Jul 20 2019 7:59 PM

Subnet exception to VPN tunnel (for home printers)

Scenario is Z3 at home (10.10.0.0), plugged into home router (192.168.1.1/24). AutoVPN has default route enabled so all traffic is tunneled back to data center for proper inspection/internet egress.

 

Is there a way to add the 192.168.1.1/24 route to a tunnel exception so home personal printers may be used from the Meraki subnet (10.10.0.0)? Essentially, a static route with next hop being WAN uplink.

 

If you remove default route for the Z3 VPN to the DC hub it works perfect with home printer, but then *all* internet traffic egresses locally from home ISP, not via the DC.

 

As soon as you enable default route on the VPN all internet traffic goes to the DC and you lose home printing.

0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 21 2019 1:06 AM
‎Jul 21 2019 1:06 AM

On the whole no ...

 

But it is available in a public beta release of the code.  Can't remember which version.  You would also need to raise a support ticket to have support add the exception.

0 Kudos
In response to PhilipDAth
Aaron_Wilson
A model citizen
‎Jul 21 2019 3:40 AM
‎Jul 21 2019 3:40 AM

The NAT exception option? If so, I couldn't quite figure it out.
0 Kudos
In response to Aaron_Wilson
Uberseehandel
Kind of a big deal
‎Jul 21 2019 3:55 AM
‎Jul 21 2019 3:55 AM

Plug the printers into the "home router", not the Z3, if you don't want the boss seeing your "holiday snaps".

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
Aaron_Wilson
A model citizen
‎Jul 21 2019 4:49 AM
‎Jul 21 2019 4:49 AM

They are plugged into the home network, hence the issue when enabling default route for the Z3 🙂
0 Kudos
In response to Aaron_Wilson
Uberseehandel
Kind of a big deal
‎Jul 21 2019 6:57 AM
‎Jul 21 2019 6:57 AM

I like to keep thing really simple - keep the corporate stuff apart from the "home network". Having an installed home router ahead of the Z3, it is a no brainer to attach home network devices to the "home router" and reserve the Z3 for corporate use. If you have a laptop that you use personally as well as for corporate matters, it is simple enough to switch between WIFi networks. If printers are shared between corporate and home, then with any luck the printers in question have email functionality available, so you just email what is to be printed to the printer.

 

It is like the separation of church and state.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
Aaron_Wilson
A model citizen
‎Jul 21 2019 7:25 AM
‎Jul 21 2019 7:25 AM

Understood, but thats not the question at hand. Also, it's not just printers, the printer was just a simplistic example.

The ask really is how to tunnel all traffic except specific subnets which should go WAN uplink, the exact same feature the Cisco AnyConnect client can do. Meraki defaults to WAN uplink if tunnel all is disabled and nothing in the route table matches, so how do you accomplish this when tunnel all is enabled or a larger supernet route exists (ignoring the specific use cases)?
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.