Hey folks, I've seen this come up a few times, but haven't had any luck resolving this. Here's my issue: Wireless clients connected to the Guest VLan can't access my on prem Exchange server. I have the Meraki handing out DHCP addresses. I have public DNS servers for name resolution.
Wireless clients receive the public-facing IP address of the mail server like you'd expect. However, the connection fails. I'm not sure what's being blocked here.
In the Firewall & Traffic page I have exceptions for the internal IP address of the mail server on ports 25, 143, 993, 587. I also have a deny rule to prohibit wireless clients from accessing local LAN.
No L7 rules are defined. Are these rules processed in a specific order? I was thinking they were processed top-down.
Hi @Brian_R, is the MS Exchange server sitting behind the same MX that the Guests are on, and does it have an internal IP address that is being NATed by the MX to its external IP address? If so then it's quite possible that the traffic flow isn't as you are expecting. I'd start by mapping out the actually traffic flow from the Guest VLAN to the public IP address of the MS Exchange Server
It's very possible that your traffic from the Guest VLAN is heading to the internet, then being bounced back to you by your ISP and then being treated as external traffic coping into the MX - which if there are no port mappings is going to fail. But this all depends on where the MS Exchange server is in relation to the Guest VLAN.
@Brian_R if you want to do this, I think you'll need to use private DNS, so the traffic doesn't try to go out of the WAN port.
At the moment you have traffic heading out of the WAN only to be sent straight back on the same interface (different IP?), In through to the LAN, to the Exchange server. The return traffic gets confused as it'll head back to the MX, finds out that the IP address it is looking for is on a different LAN port, wants to head off that way back to the client but as it is a stateful firewall there is no return path that way so gets dropped.
If you have private DNS to give the client the internal IP then it can route that way, if you want it to be totally separate, run the public connection on a separate device.