VPN from Meraki guest wifi

SOLVED
NPBN
Here to help

VPN from Meraki guest wifi

Hi,

 

Got a question about VPN from the Meraki guest wifi

 

We get a lot of different vendors in the building, who almost all use VPN to connect back to their respective motherships, however, with the Meraki guest wifi they are unable to get access. 

 

My current theory is that the firewall rule to block access to local lan is also preventing them from connecting to their VPN-network, since they are often advertised as local lans. Do anyone else have similar experiences?

 

Any insights would be appreciated, since letting outsiders on to the internal Wifi is a nono... 

1 ACCEPTED SOLUTION
MMoss
Building a reputation

I've seen a fair amount of subnet overlap issues, especially with resources on the 192.168.0.0 and 192.168.1.0. For me it's largely due to someone's home router sitting on the same subnet because that's how it comes from the factory and no one bothered changing it.

I would get the error code they are receiving if any, and if nothing else create a test SSID with it's own VLAN and Subnet to eliminate any overlap as an issue's or oddities with the Guest SSID.

Don't discount it's not on your side of the VPN, if nothing else we advertise guest "as is" and are not afraid to have them check in with their IT department, but multiple vendors makes it hard to discount it being on your side of things as well unfortunately.

View solution in original post

9 REPLIES 9
BrechtSchamp
Kind of a big deal


@NPBN wrote:

 

My current theory is that the firewall rule to block access to local lan is also preventing them from connecting to their VPN-network, since they are often advertised as local lans. Do anyone else have similar experiences?

 


That won't be the reason. The tunnel would be built to a public IP address outside your network. The addressing used inside the tunnel is not visible to Meraki.

 

Are you using portal functionality on the guest network? If you are, any chance they're trying to build the tunnel before having gone through the splash procedure? Are there any firewalls on the path towards the internet?

 

Edit: Also, what kind of VPN technology are they using? IPsec? SSL?

 

 

I agree on the tunnel, which is also why I am quite puzzled by this. 

 

There is no portal or splash-page in place, although the wifi network is password protected.

 

Traffic passes through an MX on its way to the internet, and also through a layer 3 switch which does routing.

 

Dunno about the VPN-technology, but since this is something I have heard from several people I assume it would be a mix. I will ask the guy currently in the building if I can find him outside a meeting. 

MarcP
Kind of a big deal

We are using a seperate Router / Internetline for our Guest Wifi...

VLAN tagging to the Guest vlan and denying the  communication to the LAN at the AP and it is working. 

Just tested it at my own notebook.

 

Tried to change it to NAT Mode (Meraki DHCP), but afterwards I wasn´t able to use the Guest Wifi anymore, regarding to our network...

 

How is your setup looking like?

BrandonS
Kind of a big deal

Is the problem that they can't establish VPN connection or they connect and then can't access resources?

 

I have had the latter problem with Meraki NAT/DHCP mode due to 10.0.0.0/8 conflicting.  Maybe you also have some subnet overlap between your guest network and the remote side?

Checked with the guy who was here yesterday, and he could get internet, and his Sonicwall VPN-client claimed it was connected, but he could not access the ressources at his own company. We agreed he would go and bug his own IT-department, and see if they have a fix, or is able to see anything in their logs. 

 

you might be on to something in regard to the NAT/DHCP, how did you verify that as your problem?

 

Not sure about the remote side, I dont think that should be an issue.  

MMoss
Building a reputation

Check his IP when connected and see if its overlapped with your guest. If they are not then ping the resource he is looking for using the host name and see if it returns an overlapping IP address. If they know the resource IP then just compare. 

 

If they dont know the the host name or IP because it's on the backend and they dont have access to that data then thier IT department should know. Honestly it would be easier to tell the sales rep "Here is the guest network subnet, and your guys if they overlap." Otherwise set up a different SSID, build the gateway on the MX, enable DHCP, and assign it a different VLAN ID. If you can build it so that the traffic is completely in no way shape or form on the guest subnet that will eliminate the issue very quickly and require no contact with the various vendor IT administrators.

 

Which ever way you go I would start by eliminating that variable up front. 

pjc
Building a reputation

@BrandonSwrote:

 

Is the problem that they can't establish VPN connection or they connect and then can't access resources?

 

I have had the latter problem with Meraki NAT/DHCP mode due to 10.0.0.0/8 conflicting. Maybe you also have some subnet overlap between your guest network and the remote side?

 

My money's on Brandon's theory, we have run into this exact problem a few times.  Ended up having create a new SSID which was bridged using a different client subnet

MMoss
Building a reputation

I've seen a fair amount of subnet overlap issues, especially with resources on the 192.168.0.0 and 192.168.1.0. For me it's largely due to someone's home router sitting on the same subnet because that's how it comes from the factory and no one bothered changing it.

I would get the error code they are receiving if any, and if nothing else create a test SSID with it's own VLAN and Subnet to eliminate any overlap as an issue's or oddities with the Guest SSID.

Don't discount it's not on your side of the VPN, if nothing else we advertise guest "as is" and are not afraid to have them check in with their IT department, but multiple vendors makes it hard to discount it being on your side of things as well unfortunately.
NPBN
Here to help

Turned out it was the other side that was the problem. 

 

Their IT-department did something (not wanting to tell me what), and hey presto! It worked... 

 

Thanks to all who replied.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels