cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

WE Need IPV6 Support in MX

SOLVED
Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

at least some progress at the backend:

Selection_999(3501).png

 

anyway, i request a *much higher* frequency of updates. once every three months, that's way too less!

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

nothing new here:

 

root@www:~# host dashboard.meraki.com
dashboard.meraki.com is an alias for n1.meraki.com.
n1.meraki.com is an alias for sdg333.meraki.com.
sdg333.meraki.com has address 108.161.147.44

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

root@www:~# host dashboard.meraki.com
dashboard.meraki.com has address 108.161.147.44
dashboard.meraki.com has IPv6 address 2620:12f:c000:0:92e2:baff:fecd:3f94
Highlighted
Building a reputation

Re: WE Need IPV6 Support in MX

When the time comes, I would be interested in beta testing IPV6 for MX or other hardware.

 

I have Charter as an ISP and when I was using a Soniclwall firewall I had four IPV6 subnets.  The MR33 was able to get an IPV6 address from the Sonic wall, and devices in the WiFi also could get IPV6 addresses.

 

 

- Dave

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

The failure of Meraki to support IPv6 in a timely manner is now really causing me big issues. 
COVID-19 has caused my company to send everyone to work from home and VPN into the office. 
Of course, many of the users who have never had to use our VPN are trying to use it and discovering they can't due to IPv6. 

I've had to bung in a couple of pfSense firewalls in on spare IP addresses (using 2 retired Dell servers) and give these users OpenVPN for connectivity. I'm now wondering when it comes to license renewal time, why I should bother as we now have 2 perfectly serviceable pfSense firewalls in place with auto failover, VPN, Suricata, pfBlockerNg, and fully supporting IPv6. The only downside being that they're far more difficult to manage and configure than our MXs.

 

Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

Just for info.  I have been having the same issue.  If users are getting IP v6 addresses, Telstra (Australia)  IPV6 to ipv4 GW does not support L2tp VPN.  What I have found is if I disable the IPV6 protocol on the WIFI or Ethernet adapter that the VPN is running on  then the device gets and IP v4 address and the GW is bypassed and it works.   but we do need IPV6 support and a Better VPN client for windows  ASAP.  it is Meraki biggest short coming.   Need Client VPN to work like SDWAN does.  "It just works"  without me having to team viewer to clients machine to set it up every time.

Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

@Meraki-PM-Team, this is a serious situation RIGHT NOW!

 

in the name of all your patient and loyal customers and resellers: PROVIDE A QUICK FIX RIGHT ***NOW***!

 

focus on the client VPN part and LET OUR USERS - WHO *WANT*/*NEED* TO WORK FROM HOME IN THIS DIFFICULT AND URGENT SITUATION - ACCESS OUR INTERNAL NETWORKS!!!

 

i am currently stopping linux updates of libreswan, because DH2/modp1024 is not anymore supported as of v3.30 (February 2020) "pluto: Disable support for DH2/modp1024 at compile time [Paul]", but required by client VPN. ipsec supports more then 1 ike algo in phase1, but support can only *switch* to DH14/modp2048.

 

… and by the way, the docs on https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method do still speak about DH5/modp1536 which is not possible to switch to regarding the support team. [Case 04926942].

Highlighted
Conversationalist

Re: WE Need IPV6 Support in MX

Hopefully some of Meraki’s team will be able to concentrate more on getting this sorted if they are working from home themselves!!!

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

I'm getting ready to pitch the OpenVPN Access Server seriously at work right now due to this. Most people don't have an issue connecting, but when they do I have to rebuild the damn VPN connection every time 😞
Highlighted
Here to help

Re: WE Need IPV6 Support in MX

@CharlieCrackle 
"Just for info.  I have been having the same issue.  If users are getting IP v6 addresses, Telstra (Australia)  IPV6 to ipv4 GW does not support L2tp VPN.  What I have found is if I disable the IPV6 protocol on the WIFI or Ethernet adapter that the VPN is running on  then the device gets and IP v4 address and the GW is bypassed and it works.   but we do need IPV6 support and a Better VPN client for windows  ASAP.  it is Meraki biggest short coming.   Need Client VPN to work like SDWAN does.  "It just works"  without me having to team viewer to clients machine to set it up every time."

That works for BT over here in the UK but not for Sky Internet and for some inexplicable reason we have many users on Sky.  

Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

Selection_999(3766).png

Highlighted
Building a reputation

Re: WE Need IPV6 Support in MX

nikiwaibel

 

I agree with your sentiment. But for a VPN to work over IPV6, the MX would need to have have IPV6 address management, subnet management, routing management and perhaps even 6 to 4 and 4 to 6 if your internal network is IPV4 only.

 

The next update from Meraki on IPV6 will come in April.  Perhaps there will be an Alpha or Beta then.

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

We now have half of our employees using my thrown together pfSense/OpenVPN solution due to the IPv6/VPN issues with the Meraki MX. It's not looking good for license renewal for Meraki right now. We may as well just move everyone over and wave Meraki good bye and send the other guys who assist me with infrastructure on pfSense courses. It won't be easy to persuade the boss to pay up after all the grief we've been having. 

 

 

 

Highlighted
Conversationalist

Re: WE Need IPV6 Support in MX

Personally, to use Meraki MX as my home office firewall, these are the IPv6 features I am using now with "not-an-MX" and am looking for in an MX.

- Prefix Delegation with Prefix Hint
- Dynamic assignment of delegated /64 prefixes from the larger /60 or /56 (see hint) to different interfaces - some physical some VLAN
- DHCPv6-lite to hand out DNS (others, NOT Android)
- RDNSS to hand out DNS (Android, others)
- Option to use either delegated or "system" DNS for DHCPv6-lite / RDNSS

That gets me going as a replica of my current setup. 

Nice to have would be:
DNS64/NAT64 including the ability to have that work from PD-assigned prefixes

And of course v6 firewalling / content inspection / VPN features.

I know the potential list of v6 capabilities is far greater, and Enterprises will have an additional wish list. The above is what I consider "the essentials" for a SOHO setup.

All opinions mine, not speaking as an employee, and so on.

Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

I am running out of solution for customers now.   Telstra is Australia is using IPV6 on their  mobile network with a IP6 to IP4 GW  which does not support l2tp VPN

 

Up till now I have been disabling IPV6 on the client to get around this

 

I now have IOS devices with the same issue and you can NOT disable IPV6 on IOS.  so VPN on IOS does not work any more.

 

Need IPV6 support   or anyconnect VPN client support..  URGENTLY  as now supplying non meraki gear to fix these issues.

Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

I had to put the Meraki in Pass through mode, and using PFSense on my front end for Router, there I configure VPN. Open VPN etc.  Then use Ipsec as forwards to the Meraki so its still in play.

I have brand new MX100 sitting on rack waiting for iPV6 Options till then pfsense is boss.

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

@Dudleydogg Given the VPN issues we are seeing with our MX64 I am really close to switching to a pfSense box at the office. We are all work from home right now and most people have multiple VPN pauses a day, not working too well for us 😞

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

We've migrated nearly everyone over to the pfSense/OpenVPN I set up on a couple of old Dell servers we had lying around. We're getting much more reliable connections and don't have any IPv6 issues. The number of support calls has really dropped and the pfSense servers are hardly breaking a sweat. 

 

 

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

@AAVH, given how pfSense is currently offering FREE “zero to ping” its really tempting to me.
Highlighted
Building a reputation

Re: WE Need IPV6 Support in MX

smccloud1,

Please keep in mind that the specs for a MX64 is a maximum of 50 concurrent VPN users and a total of 100mbps VPN throughput.

- Dave

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

@DHAnderson We have around 36 users and a 50Mbps connection, and problem happens even with a single user on the VPN.
Highlighted
New here

Re: WE Need IPV6 Support in MX

I to have abandoned Meraki and went Fortigate firewall and Ubiquiti switches/wifi.  If anyone needs Fortigate pricing let me know.

Highlighted
Building a reputation

Re: WE Need IPV6 Support in MX

micah-cmedics,

This board is for Community based support for Meraki, not a general product board. Please refrain from trying to sell competing products here.
Highlighted
Here to help

Re: WE Need IPV6 Support in MX

Interesting you mentioned the Fortigate. We just moved most our equipment to them. Couldn't be happier. Full IPv6 support. And the VPN works great. Certainly a larger learning curve but if you already know firewalls this is the way to go.

 

Also, the security is muuuuuch better on the Fortigate. We ran a a test and put a fortigate between our MX our our switches with port mirroring on to see what the MX was missing. In 7 days the MX missed over 34,000 IPS attemps. Pretty sad.

 

I love my Meraki's don't get me wrong... but..... they are way way behind now. Its sad to watch such a great brand die.

Highlighted
New here

Re: WE Need IPV6 Support in MX

Its not too bad, meraki is allow all and block things you dont want, where fortigate is more of granular allow what you want and get very specific, but its not over daunting.

 

i have used all the firewall players over the years and currently very happy.  I would love to see meraki do something, its really is that with current times, to little to late.

Highlighted
Building a reputation

Re: WE Need IPV6 Support in MX

micah-cmedics
 
The main strength of Meraki is that they are cloud managed from the start.  They did not take a local managed device, slap a dongle on it and make a the same dated interface in the cloud. 

The second strength of Meraki is the Dashboard.  All devices, all clients. The Dashboard benefits goes on and on.

The third strength of Meraki is zero touch deployment.  Configure the device once you get Claim key.  The device lands is some distance city, or state, or country and gets mounted and powered up and is working in minutes.  And there it is, in the Dashboard.

The 4th strength of Meraki is the extras, the API, Insight and Systems Manager.

So while an individual piece of Meraki hardware may be missing a feature, the overall benefit is still tremendous compared to competitors.
Highlighted
Here to help

Re: WE Need IPV6 Support in MX

I totally agree. The remote management and ease of configuration on the Meraki devices is absolutely brilliant. Saves me a world of headaches in that I can delegate management to other guys without needing to send them on courses or hold their hands. And if there is a visit from Captain Cockup you can always fix it remotely. Something no other firewall devices have that I'm aware of. Its a great comfort blanket. 

However, despite all those wonderful features (which is why we all bought Meraki in the first place), if they don't fulfil a fundamental functionality need you have right now then they may as well be paperweights and right now that's what they are for my company with the entire company working from home. We've migrated everyone to pfSense/OpenVPN due to the issues with Meraki client VPN. 

 

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

We have a 100MBit Internet connection and a 20 user maximum at any one time as the company operates in two shifts. We've been peaking at about 15 users and averaging 10 or 11 since the outbreak.  

 

Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

Meraki Team, Please show this thread to management. IPv6, IKEv2 and Anyconnect for client VPN are HUGE missing features. You see many customers a jumping ship because they have no choice they are complaining because they WANT to continue to use the product but can't. We know you are working on it but we as customers need/deserve a roadmap and timeline of when these features will be live so we can plan accordingly. Please no more an update in x months.

Highlighted
Building a reputation

Re: WE Need IPV6 Support in MX

In their February IPV6 update, Meraki said that if they stay on schedule, there will be "exiting" news in April.  Let's hope they are staying on schedule!

 

 

Highlighted
Here to help

Re: WE Need IPV6 Support in MX

@DHAnderson you mean they will start on it in April?
Highlighted
Building a reputation

Re: WE Need IPV6 Support in MX

smccloud1,

No. In the IPv6 @ Meraki they did not mention what the exciting news was, just that there would be some, if schedules go as planned. Given the shift to working at home due to Covid19, I would be surprised if schedules don't slip.

They also stated there could be beta testing over the next couple of months, so the news could be a formal announcement of a beta plan.

We have 30 days to find out

Highlighted
Meraki Employee

Re: WE Need IPV6 Support in MX

Hi Everyone!

 

I am a long time lurker not poster, but here goes since I noticed an update in the IPv6 @ Meraki thread and wanted to get it in front of everyone in this thread as some may not be aware off or following the update thread.


TLDR: Improvements to client VPN functionality to handle IPv6 only clients to connect through a NAT64 from their providers

https://community.meraki.com/t5/Full-Stack-Network-Wide/IPv6-Meraki/m-p/81683/highlight/true#M1465

If you have IPv6 only connectivity and are leveraging NAT64, I urge you to share it with the community your ISP and if your setup works or doesn't.

 

Stay safe & healthy!

 

Cheers,

 

-Raul

Highlighted
New here

Re: WE Need IPV6 Support in MX

Hi Hi together!
Big thanks to you Meraki Guys and that finally started to implement IPv6!
Recognized it round about a week ago, when my switch got an IPv6 addresse after a reboot.

Just Lovely!

 

For your request:

ISP:
1&1 Versatel Germany

Outgoing connections:
All perfect

 

Ingoing:
Client to FW
-not possible-

Highlighted
Conversationalist

Re: WE Need IPV6 Support in MX

What model switch and what version firmware?

Highlighted
Building a reputation

Re: WE Need IPV6 Support in MX

Before I replaced my Sonicwall firewall with a MX65, I had it setup to get an IPV6 /60 subnet from Charter. My MS220-8P and MR33 picked up the correct subnet and IPV6 addresses.  They also passed on Router Announcements to clients who also got IPV6 addresses on the correct subnet.

 

So while there may be more work on the complete product line, the big push is most likely re-architecting the MX to support a new more complex IP protocol, and the work they have done making sure the Meraki site, dashboard and backend support IPV6.

Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

My switches used to have IPV6 addresses and it went away and the setting is grayed out now.

what did you do to enable this feature?

Highlighted
Getting noticed

Re: WE Need IPV6 Support in MX

currently MX seem not yet support IPV6 solution
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.