This document explains this well: https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Security_Appliances ... View more

I hope your DSL Modem can do the PPPoE job and provide DHCP IP on its LAN. Use a small switch, as known as 'WAN Switch' or 'Perimeter Switch' and terminate your DSL Modem there. Many DSL Modem have built-in switchports on its LAN. Connect both MX 'INTERNET' ports on the switch. If DHCP is Enabled, both will get IP and connect to cloud. If DHCP service is not available, you should configure manual IP as a destination to internet towards your GSM Modem. Configure first MX as you need, then add second MX as 'Warm Spare' from 'Appliance status' page. ... View more

Did you check from 'Security Appliance > Addressing & VLANs' if you have below configs: - route created from MX64 (Meraki Spoke) towards ASA/FG (non-Meraki Spoke). It should be dest: 172.16.0.1/16, gw: MX100 IP from 192.168.0.1 subnet - if the route is advertised by selecting 'Yes' for 'In VPN'.   Screenshot added FYR.   HTH. ... View more

Did you try with OPENVPN client? It's an open-source & community driven client supports L2TP/IPSec. It also have VPN server capability but you can shutdown the service. ... View more

In high density area sometime I suggest to increase the bitrate to more than 12Mbps for faster & effective roaming. Also leave the Radio Power to automatic. Encourage everyone to use 5GHz radio instead of 2.4Ghz if configurable from endpoints. 2.4Ghz imposes noise on wireless networks. ... View more