OK after much mucking around I got this all working. Some notes: since the original router was part of a meraki VPN, when I attempted to create (after disconnecting the old router and bringing it in-house) the public IP Address range I desired as a VLAN it gave me a warning that it wouldn't route correctly (and in fact it did not).  I had to (temporarily): Take the vlan range down to a /26 rather than a /24 Remove the moved meraki from the site to site VPN Re expand the range to /24 I then ran into what I thought were additional problems. I could see all the devices inside the new VLAN when I was IN the VLAN but they could not see outside.  Turned out I had: Plugged the switch they were plugged into into an access rather than a trunk port when rewiring it.  Thus I couldn't see the devices unless I was on the switch, rather than the outside network.  Rookie move but i wasted an  hour trying to figure out why the devices could see each other but  not the outside world, or the outside world see them. The original router was set as a pass-through firewall with just certain ports passed through.  When it was on the site-to-site this didn't matter because I could see all ports once the vpn was established. After moving it i had to open up a couple ports for traffic to pass correctly between the 2 lans, but that was pretty easy and trivial and in fact increased security since now only that traffic passed. I don't need to vpn into the double-natted device so I didn't bother trying to set client or site-to-site back up again.   Thanks for the help and pointers.  I basically relocated my entire web infrastructure off shared hosting and into an archival state in under a day.  Pretty good really.  Gotta love Meraki.   ... View more