Z1 - Access to local subnets on "Internet" side of the device

TonySmith
Here to help

Z1 - Access to local subnets on "Internet" side of the device

Hi,

This is a typical Z1 installation, the Internet interface connected to the home network, creating its tunnel to an MX at head office.  It does not have full tunnelling enabled, only site to site VPN traffic goes to the MX, Internet traffic breaks out locally using the home Internet connection.

 

Is this possible?  I'd like to add access both to the connected subnet on the Internet side, and to another downstream subnet.

 

Thanks,  Tony S

6 REPLIES 6
ww
Kind of a big deal
Kind of a big deal

only if the sessions is initiated from the lan side.

maybe you can run "no nat" on the wan interface, but i don't know if that is available on the z1

Thanks.   So when you say "LAN side" you mean what the Z1 calls LAN, which is where my work PC connects.  From there I need to be able access devices on the home network.  At the moment that doesn't work.  From the work PC if I ping any address on the home subnet I get a response, but in fact this is being spoofed by the Z1 in some way.  If I open a web browser to any of those addresses I get the Z1's management page.

ww
Kind of a big deal
Kind of a big deal

yes.

 

There are no FW rules configured on the Z?

the WAN-side and LAN-side subnet are different subnets?

No firewall rules at the moment.  LAN side is a different subnet from the home network on the Internet (WAN) side.

 

Traceroute shows slightly odd results.  If I trace to an Internet address I see the LAN side of the Z1 as the first hop, as expected, however the second hop is from the Internet provider on the other side of the home router.  It's as if the home LAN that extends between that router and the Z1 is being masked in some way.

 

If from the LAN side I try to open a web browser session to an address on the WAN side subnet, even to an address that is not in use, then I get the Z1 web page.

I think the answer I'm getting back from Meraki is that it's not possible.  They're suggesting creating inbound NAT rules on the home firewall to allow access to the home network from the Internet.

That's confirmed from Meraki.  Their suggestion is to open up the home network for access from the Internet, and make the connection that way.  That's not really practical.

The only sensible solution seems to be to a connection from the home router to the LAN side of the Z1, and static routes pointing that way. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels