Check your DNS settings on WAN2 and make sure nothing upstream would be blocking HTTP.    There are several tests that are done to verify connectivity, DNS queries, pings, ARPs and HTTP tests.  Details here:   https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failover   Russ ... View more

If I'm understanding your question correctly, you can configure the MX as a one armed concentrator that would be on the inside network behind the other firewall:   VPN Concentrator Deployment Guide - Cisco Meraki ... View more

The previous owner/user will have to remove the device from the network it is in and unclaim it before you can claim it for your organization.  Here's some info from the Meraki documentation:   Cisco Meraki Devices purchased Second Hand - Cisco Meraki ... View more

I've been running multi-VLAN support over mesh at a couple of sites for about 6 months now and it hasn't seemed to cause any issues.  We're not moving a ton of traffic over those links, the primary use is to keep a few multicast audio streams isolated in their own VLAN, but it also allowed us to get a couple of IP phones back into the voice VLAN.   You will need to open a ticket with support asking them to enable it and let them know which repeaters it needs to be enabled on and what VLANs to allow on the mesh.   Russ ... View more

I would make the Deny rule for all traffic, not just Local LAN.  Then for the clients you want to have access, you would go to Network Wide, Clients, check the box for the client you want to allow access, choose Policy at the top, and add them to the Allow List.   Keep in mind that this method isn't very secure, since MAC addresses can be spoofed.   This topic has some good info on a couple of different approaches and screenshots: Solved: Restrict access by PSK and MAC? - The Meraki Community   Russ   ... View more

Those log messages are just telling you that port 14 went down (state changed from 1Gfdx to down), and when it did it was marked as disabled in the RSTP table (because it is down and has no path to the root bridge.)   It really sounds to me like an intermittent cable issue.  It could be a port, so I'd definitely try moving the AP to another port on the switch, but a cable/connector problem seems more likely.  When the cable people tested the cable, did they test all the way from the switch to the AP?  Could be a bad patch cable.  I've also seen bad keystone jacks cause intermittent problems.   Is there another network jack nearby that you could move the AP to?  That would help rule out cabling problems. ... View more

Those log messages are just showing that the port was bouncing.   It looks to me like you have a cable problem.  Have you run a cable test on that port?   As for the AP having power while the port shows down, I've seen that before, both from cable failure and switchport failure.  If one of the data pairs is open, but the spare pairs are OK, the device can negotiate power but never link up.  Looks like this in the dashboard: And here's the result of a cable test on that port:   Looks like you may have an intermittent problem with a data pair on that cable.   Russ     ... View more

The risk of using 1:1 NAT over a DMZ is the exposure to attacks if one of the Internet facing servers is compromised.    If you put your Internet facing servers on your internal VLAN and one of them is compromised, the attacker could then attempt to compromise any of the devices on the internal VLAN.   If your Internet facing servers are isolated in a DMZ, then even if one is compromised the exposure would be limited to other devices in the DMZ.   Personally, in today's environment, I would probably create a DMZ for the Internet facing servers.   ... View more

I'm also having the same issue.  I had a user report that they have no network connection, and I can't even run a cable test on the port to see if it's a cable issue.  I have opened a case with Support.   Russ ... View more

If the MX has never connected to the cloud, it should have the default configuration, which I believe is the Single VLAN setting you show above.  So if you connect a PC configured for DHCP, it should get an IP address in the 192.168.128.0 network.  At that point, you should be able to connect to wired.meraki.com to get the local management page, or if that doesn't work you can see what your default gateway is set to (probably 192.168.128.1) and try connecting to that IP in a browser.  If that doesn't work, try a factory reset to make sure you have the default config and try again.   Once you get connected to the local status page, you should be able to configure the WAN IP, and once it connects to the cloud it should update the config from the dashboard, then the VLANs you show above will be configured.   Russ ... View more

Typically you would use the local status page to set the static IP address: Using the Cisco Meraki Device Local Status Page - Cisco Meraki   If you are using an MX, it should be running DHCP by default, so you could set your PC for DHCP and connect it to one of the LAN ports on the MX, and you should get an IP address assigned.  Then you should be able to go to wired.meraki.com to get to the local management page and set your static IP on the WAN port.   You would also want to go ahead and set the WAN IP in the dashboard, since once the MX connects to the dashboard it will download the config from there.   Russ   ... View more

I wouldn't trust the OS Identification, I have Hyper-V servers that are identified as Xbox in the Meraki dashboard.  I would use a layer 3 firewall rule to deny all traffic on the SSID, then you can Allow specific clients to override that.  There's information on how to do that here:   Solved: Setting up an MR44 to allow only a few clients using MAC address filtering - The Meraki Community   and here:   Solved: Re: Restrict access by PSK and MAC? - The Meraki Community     Even with the deny all L3 firewall rule and Allowing certain clients I'm still not sure I'd feel comfortable with having a completely open network. ... View more

Take a look at this document and see if it helps:   Using Site-to-site VPN Translation - Cisco Meraki   I haven't run into this issue, but I remembered reading about it.   Russ   ... View more

Try changing your "*.google.com" in the allow list to just "google.com".  I had an issue where someone here tried to block netflix.com by adding *.netflix.com to the blocked URL list and it did not work, I had to use "netflix.com" to get it to work.  I assume the allow list works the same way.   Russ   ... View more

I agree with @UCcert that the devices will continue to function even after the end of support date.  The End of Life policy (Cisco Meraki Customer Support & Documentation) says that EOL products can typically connect to the cloud after the EOL date, but that's not guaranteed indefinitely.   I would not expect Meraki to replace an EOL device that fails, though.  The Returns, Warranties and EOL page (Returns (RMAs), Warranties and End-of-Life Information - Cisco Meraki) has a footnote about the Lifetime Warranty that says " Product lifetime ends concurrently with product End-of-Support (EOST) Date as described in Cisco Meraki's  End of Life (EOL) Policy ."   I do know that if a device past the End of Sale date fails, Meraki will typically replace it with a current equivalent device.  I've had a few MS220 switches fail and have received MS120 equivalents as replacements.   Russ   ... View more

I'm not familiar with those devices, but I would try turning off Wireless Multicast to Unicast Conversion (under Network-Wide, Configure, General).  That setting is turned on by default, and will convert the multicast traffic to unicast traffic, which may be causing the problem.   Is this just a single access point with all clients (computer, phone, tablet, lights) wireless, or are there switches involved as well?   Russ   ... View more

I have found that the usage reported by Traffic Analytics is not accurate.  I opened a ticket with support and got a response saying that the support rep " was able to confirm that this issue has already been raised with the developers and we're waiting to hear back from them."   When I need to determine utilization, I just look at the switchport that is connected to the MX appliance or other router/firewall.  Once the switchport is selected, you can see the Historical Data for 2 hours, 1 day, 1 week, 30 days and the Usage reported in the Status section updates and seems much more reasonable that what is reported by Traffic Analytics.   Russ     ... View more

I'm not seeing any issues here, but my WiFi setup for clients is pretty simple. I've only got one AP that sees regular use, and I'm just using WPA2 with a Pre-shared key.  But there are 8 clients connected now that have been associated for anywhere from 10 hours to 1 week and no issues have been reported.   Russ   ... View more

I haven't had to swap an MX yet, but I did find the documentation for the process when I thought one failed:   MX Cold Swap - Replacing an Existing MX with a Different MX - Cisco Meraki   It doesn't look like making the MX85 a warm spare will be an option, since the MX Warm Spare Overview says "Note:  The secondary MX must be the same MX model as the primary."   Russ   ... View more