at least some progress at the backend:
anyway, i request a *much higher* frequency of updates. once every three months, that's way too less!
nothing new here:
root@www:~# host dashboard.meraki.com
dashboard.meraki.com is an alias for n1.meraki.com.
n1.meraki.com is an alias for sdg333.meraki.com.
sdg333.meraki.com has address 184.108.40.206
When the time comes, I would be interested in beta testing IPV6 for MX or other hardware.
I have Charter as an ISP and when I was using a Soniclwall firewall I had four IPV6 subnets. The MR33 was able to get an IPV6 address from the Sonic wall, and devices in the WiFi also could get IPV6 addresses.
The failure of Meraki to support IPv6 in a timely manner is now really causing me big issues.
COVID-19 has caused my company to send everyone to work from home and VPN into the office.
Of course, many of the users who have never had to use our VPN are trying to use it and discovering they can't due to IPv6.
I've had to bung in a couple of pfSense firewalls in on spare IP addresses (using 2 retired Dell servers) and give these users OpenVPN for connectivity. I'm now wondering when it comes to license renewal time, why I should bother as we now have 2 perfectly serviceable pfSense firewalls in place with auto failover, VPN, Suricata, pfBlockerNg, and fully supporting IPv6. The only downside being that they're far more difficult to manage and configure than our MXs.
Just for info. I have been having the same issue. If users are getting IP v6 addresses, Telstra (Australia) IPV6 to ipv4 GW does not support L2tp VPN. What I have found is if I disable the IPV6 protocol on the WIFI or Ethernet adapter that the VPN is running on then the device gets and IP v4 address and the GW is bypassed and it works. but we do need IPV6 support and a Better VPN client for windows ASAP. it is Meraki biggest short coming. Need Client VPN to work like SDWAN does. "It just works" without me having to team viewer to clients machine to set it up every time.
@Meraki-PM-Team, this is a serious situation RIGHT NOW!
in the name of all your patient and loyal customers and resellers: PROVIDE A QUICK FIX RIGHT ***NOW***!
focus on the client VPN part and LET OUR USERS - WHO *WANT*/*NEED* TO WORK FROM HOME IN THIS DIFFICULT AND URGENT SITUATION - ACCESS OUR INTERNAL NETWORKS!!!
i am currently stopping linux updates of libreswan, because DH2/modp1024 is not anymore supported as of v3.30 (February 2020) "pluto: Disable support for DH2/modp1024 at compile time [Paul]", but required by client VPN. ipsec supports more then 1 ike algo in phase1, but support can only *switch* to DH14/modp2048.
… and by the way, the docs on https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method do still speak about DH5/modp1536 which is not possible to switch to regarding the support team. [Case 04926942].
"Just for info. I have been having the same issue. If users are getting IP v6 addresses, Telstra (Australia) IPV6 to ipv4 GW does not support L2tp VPN. What I have found is if I disable the IPV6 protocol on the WIFI or Ethernet adapter that the VPN is running on then the device gets and IP v4 address and the GW is bypassed and it works. but we do need IPV6 support and a Better VPN client for windows ASAP. it is Meraki biggest short coming. Need Client VPN to work like SDWAN does. "It just works" without me having to team viewer to clients machine to set it up every time."
That works for BT over here in the UK but not for Sky Internet and for some inexplicable reason we have many users on Sky.
I agree with your sentiment. But for a VPN to work over IPV6, the MX would need to have have IPV6 address management, subnet management, routing management and perhaps even 6 to 4 and 4 to 6 if your internal network is IPV4 only.
The next update from Meraki on IPV6 will come in April. Perhaps there will be an Alpha or Beta then.
We now have half of our employees using my thrown together pfSense/OpenVPN solution due to the IPv6/VPN issues with the Meraki MX. It's not looking good for license renewal for Meraki right now. We may as well just move everyone over and wave Meraki good bye and send the other guys who assist me with infrastructure on pfSense courses. It won't be easy to persuade the boss to pay up after all the grief we've been having.
Personally, to use Meraki MX as my home office firewall, these are the IPv6 features I am using now with "not-an-MX" and am looking for in an MX.
- Prefix Delegation with Prefix Hint
- Dynamic assignment of delegated /64 prefixes from the larger /60 or /56 (see hint) to different interfaces - some physical some VLAN
- DHCPv6-lite to hand out DNS (others, NOT Android)
- RDNSS to hand out DNS (Android, others)
- Option to use either delegated or "system" DNS for DHCPv6-lite / RDNSS
That gets me going as a replica of my current setup.
Nice to have would be:
DNS64/NAT64 including the ability to have that work from PD-assigned prefixes
And of course v6 firewalling / content inspection / VPN features.
I know the potential list of v6 capabilities is far greater, and Enterprises will have an additional wish list. The above is what I consider "the essentials" for a SOHO setup.
All opinions mine, not speaking as an employee, and so on.
I am running out of solution for customers now. Telstra is Australia is using IPV6 on their mobile network with a IP6 to IP4 GW which does not support l2tp VPN
Up till now I have been disabling IPV6 on the client to get around this
I now have IOS devices with the same issue and you can NOT disable IPV6 on IOS. so VPN on IOS does not work any more.
Need IPV6 support or anyconnect VPN client support.. URGENTLY as now supplying non meraki gear to fix these issues.
I had to put the Meraki in Pass through mode, and using PFSense on my front end for Router, there I configure VPN. Open VPN etc. Then use Ipsec as forwards to the Meraki so its still in play.
I have brand new MX100 sitting on rack waiting for iPV6 Options till then pfsense is boss.
@Dudleydogg Given the VPN issues we are seeing with our MX64 I am really close to switching to a pfSense box at the office. We are all work from home right now and most people have multiple VPN pauses a day, not working too well for us 😞
We've migrated nearly everyone over to the pfSense/OpenVPN I set up on a couple of old Dell servers we had lying around. We're getting much more reliable connections and don't have any IPv6 issues. The number of support calls has really dropped and the pfSense servers are hardly breaking a sweat.
Interesting you mentioned the Fortigate. We just moved most our equipment to them. Couldn't be happier. Full IPv6 support. And the VPN works great. Certainly a larger learning curve but if you already know firewalls this is the way to go.
Also, the security is muuuuuch better on the Fortigate. We ran a a test and put a fortigate between our MX our our switches with port mirroring on to see what the MX was missing. In 7 days the MX missed over 34,000 IPS attemps. Pretty sad.
I love my Meraki's don't get me wrong... but..... they are way way behind now. Its sad to watch such a great brand die.
Its not too bad, meraki is allow all and block things you dont want, where fortigate is more of granular allow what you want and get very specific, but its not over daunting.
i have used all the firewall players over the years and currently very happy. I would love to see meraki do something, its really is that with current times, to little to late.
I totally agree. The remote management and ease of configuration on the Meraki devices is absolutely brilliant. Saves me a world of headaches in that I can delegate management to other guys without needing to send them on courses or hold their hands. And if there is a visit from Captain Cockup you can always fix it remotely. Something no other firewall devices have that I'm aware of. Its a great comfort blanket.
However, despite all those wonderful features (which is why we all bought Meraki in the first place), if they don't fulfil a fundamental functionality need you have right now then they may as well be paperweights and right now that's what they are for my company with the entire company working from home. We've migrated everyone to pfSense/OpenVPN due to the issues with Meraki client VPN.
We have a 100MBit Internet connection and a 20 user maximum at any one time as the company operates in two shifts. We've been peaking at about 15 users and averaging 10 or 11 since the outbreak.
Meraki Team, Please show this thread to management. IPv6, IKEv2 and Anyconnect for client VPN are HUGE missing features. You see many customers a jumping ship because they have no choice they are complaining because they WANT to continue to use the product but can't. We know you are working on it but we as customers need/deserve a roadmap and timeline of when these features will be live so we can plan accordingly. Please no more an update in x months.
In their February IPV6 update, Meraki said that if they stay on schedule, there will be "exiting" news in April. Let's hope they are staying on schedule!
I am a long time lurker not poster, but here goes since I noticed an update in the IPv6 @ Meraki thread and wanted to get it in front of everyone in this thread as some may not be aware off or following the update thread.
TLDR: Improvements to client VPN functionality to handle IPv6 only clients to connect through a NAT64 from their providers
If you have IPv6 only connectivity and are leveraging NAT64, I urge you to share it with the community your ISP and if your setup works or doesn't.
Stay safe & healthy!
Hi Hi together!
Big thanks to you Meraki Guys and that finally started to implement IPv6!
Recognized it round about a week ago, when my switch got an IPv6 addresse after a reboot.
For your request:
1&1 Versatel Germany
Client to FW
Before I replaced my Sonicwall firewall with a MX65, I had it setup to get an IPV6 /60 subnet from Charter. My MS220-8P and MR33 picked up the correct subnet and IPV6 addresses. They also passed on Router Announcements to clients who also got IPV6 addresses on the correct subnet.
So while there may be more work on the complete product line, the big push is most likely re-architecting the MX to support a new more complex IP protocol, and the work they have done making sure the Meraki site, dashboard and backend support IPV6.