MR's will not allow data traffic for Netmotion VPN

Jayt
Here to help

MR's will not allow data traffic for Netmotion VPN

We have a new Netmotion server set up. Everything is working fine expect when on the Meraki guest WIFI.  I can get connected but can't pass data to the local network.  I also cannot ping any local resources.

Netmotion works fine on our corp WIFI using a radius server. Works using a hotpot or other internet connection.

The gateway is still using the Meraki DHCP. It should be routed to the local network gateway while connected.

Is this something I need to set up on my firewall or on the MR's portal?

 

Thanks

 

8 Replies 8
ww
Kind of a big deal
Kind of a big deal

Is your ssid in nat or bridge mode.

Check also the Ssid firewall settings.  L2 lan isolation or L3 block local lan could be enabled on the ssid firewall

Jayt
Here to help

Meraki DHCP, & all normal Guest SSID settings.   No L2, We do have block local LAN enabled, as we don't want anyone to be able to get local resources from the guest Meraki LAN.  However once connected the VPN should take over for local network resources.  Just needs any internet connection.

ww
Kind of a big deal
Kind of a big deal

Are you trying to ping something in the 10.0.0.0/8 range?  If so, could you try ping a ip outside that range 

alemabrahao
Kind of a big deal
Kind of a big deal

When you use Meraki DHCP the client will use the AP IP to communicate with your Lan. Is the deny local Lan enabled on SSID firewall rule?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Jayt
Here to help

Thanks for the suggestions.  I don't think that would be the problem.  I'm not trying to get on the Meraki WiFi 10/8 network.  Once my VPN is established, my firewall should then route the connections back to my local LAN network.  I only need internet access for the VPN to work.  It works fine on my corp radius SSID, & hot spot or home internet.

Once I connect yes I can ping anything other then my local LAN network. 

However if I did need to enable local LAN, will that then give any guest client access to any device on the guest Meraki DHCP network?  I don't want to do that.

What's odd is the netmotion server is a new one spun up for an upgrade.  The old one still in use connects fine from the Guest WiFi.

I must need some sort of route/policy, have to figure out where to put it.

alemabrahao
Kind of a big deal
Kind of a big deal

What we are talking about is this.

 

 

alemabrahao_0-1688732826054.png

 

Have you checked this configuration? It's a little confusing now, can you provide more details or even a diagram?

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Benchamiin
New here

Sounds like a similar setup to what we have.

 

Just to check, are you using internal DNS for the guest network?

If so, just check it is not resolving an internal address for the NetMotion server you are using.

 

Can you confirm NetMotion is not in it's passthrough mode? It may show 'Connected' but with a statement that traffic is not currently going down the tunnel.

 

Sounds like it's either not connecting, or it's connected but bypassing your traffic.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels