Hi All,
Greetings. my MR36 wireless clients could not communicate with wired clients.
Steps tried.
MS120 Switches
1. Disabled port isolation on the MS120 POE interface.
2. ACL removed DENIED rules.
3. ACL Any Any Allowed
4. Disabled RSTP Guard
5. Port set to trunk
MR36
1. ACL removed DENIED rules.
2. ACL Allowed local LAN
3. ACL Any Any Allowed
wired VLANs can communicate with other wired VLANs, but wired VLANs to wireless VLANs, or vice versa, cannot communicate, but the wireless clients have internet connections except when communicating with wired.
Thank you in advance
Solved! Go to solution.
6.0.0.0/8 is going to cause you issues. It's used by US DoD and also some internal functions within Meraki. Bottom line is you should not be using that subnet.
Aside from that I can ping from your MX and APs to anything in 10.10.10.0 and 17.17.17.0. Your switches use some other public IP range that isn't any internal network so that can't ping anything internal and I'm unclear what your topology is.
I don't see any MS ACLs, MR ACLs, MX L3 FW rules, or GP FW rules denying traffic. So, at this point for traffic between VLAN 10 and 17 I'd have to assume this is a client side issue as I see nothing at the infrastructure layer blocking it or failing to ping.
What happens if you place a switchport on VLAN 10 and another on VLAN 17, connect a wired client to each, and try pinging between them?
I see you have lots of SSIDs, VLANs/subnets. What specific VLAN is this issue occurring on?
for a specific one, VLAN 10 communicating to VLAN 60 vice versa. but all of my wireless VLANs could not communicate with wired VLANs. I can ping the gateway of the wireless VLANs but not the clients.
If they are Windows clients it could be the Windows firewall.
yes, we are in a Windows environment. but whenever I plugged the Laptop in wired, it could communicate to other wired VLANs but still could not communicate with wireless VLANs. Even my androids phones could not communicate with wired VLANs
Can you ping all your networks that aren't 6.x.x.x IPs?
wireless VLANs to wireless VLANs cannot ping also.
Can you give a specific example of a source and destination IP that cannot ping each other? 6.0.0.0/8 IPs are going to cause you issues. I can tell you that much.
10.10.10.0/26 to 6.1.0.0/24 vice versa, even for 10.10.10.0/26 to 17.17.17.0/26 (wireless VLAN to wireless VLAN)
6.0.0.0/8 is going to cause you issues. It's used by US DoD and also some internal functions within Meraki. Bottom line is you should not be using that subnet.
Aside from that I can ping from your MX and APs to anything in 10.10.10.0 and 17.17.17.0. Your switches use some other public IP range that isn't any internal network so that can't ping anything internal and I'm unclear what your topology is.
I don't see any MS ACLs, MR ACLs, MX L3 FW rules, or GP FW rules denying traffic. So, at this point for traffic between VLAN 10 and 17 I'd have to assume this is a client side issue as I see nothing at the infrastructure layer blocking it or failing to ping.
What happens if you place a switchport on VLAN 10 and another on VLAN 17, connect a wired client to each, and try pinging between them?
The first thought that comes to mind is - Windows Firewall. Have you tried disabling it on the wired target you are trying to ping?
Is the SSID in bridge mode?
Yes, despite windows firewall are disabled, all kind of wireless client (windows laptop, android, mac, and etc) could not communicate with wired VLANs. And yes, SSID is in bridge mode with Layer 3 roaming enabled.
Still no good.
They're all bridged mode/L3 roaming. Which by the way isn't a valid or needed config as each SSID only maps to a single VLAN.
L3 with one VLAN doesn't do anything.
Based on that, go for the simpler config on just simpler layer 2 bridged mode with no roaming.
you know, if you're an ISO27001 company. simple/flat network will not get you qualified.
That's not what anyone is suggesting. Distributed Layer 3 roaming is meant for when a SSID is configured to use AP tags mapped to VLANs. For example, per building or per floor subnets that will have clients roaming between them.
Having a SSID configured for L3 roaming but only mapped to one VLAN doesn't do anything. Clients are only ever on the single VLAN mapped to that SSID.
And with that said that was just an observation I made of your config. That would not be a reason clients cannot ping each other.
At this point I'd recommend you open a Support case and do some real time troubleshooting with a Meraki engineer.
I already sent a ticket about this, no solution provided despite pcap file already sent for them to analyze.