Client VPN can ping but not discover printers or hosted games

Solved
dlevens
Getting noticed

Client VPN can ping but not discover printers or hosted games

I have a mac connecting over client VPN using LT2P with the built in macos vpn connection to my MX68.

 

VPN client is not able to browse for printers or browse for network games like minecraft or CIV.

 

VPN client can ping the printers and can ping the minecraft server or CIV server but the local discovery, like scan for printer or scan for games does not find anything.

 

I have nothing being blocked at the firewall. I have the client VPN on mac set to route all traffic over VPN and have set service order so that VPN is top on the list. I have also tried turning on Bonjour forwarding for all options, but did not help. 

 

It appears you cannot configure Client VPN to give IPs on the regular LAN but the VLANS are able to communicate with each other just not broadcast which I think might be my issue. 

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

The mDNS is not a VPN configuration.

 

https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

16 Replies 16
alemabrahao
Kind of a big deal
Kind of a big deal

He won't be able to find out because it's via broadcast and the subnets are in different broadcast domains.

 

Apart from network discovery, can you add printers manually?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
dlevens
Getting noticed

I was able to add 1 printer via IP but the other printer (older model brother) it would fail even with IP. I am not able to nslookup or resolve any of the hostnames. 

GIdenJoe
Kind of a big deal
Kind of a big deal

Those behaviors are to be expected if you are relying on uPNP, broadcast or mDNS.
If you use an internal DNS server you can at least use the dns suffix option in client VPN to get by in your domain.
However game server discovery is going to be a problem.
Most LAN games used to have an option to join directly by IP.  My experience in this however stems from the time of Quake 3 and Unreal Tournament.  So current games might be quite different.

I think the MX will also only forward mDNS request over VLAN's, not client VPN.

dlevens
Getting noticed

I go back to Doom and Quake and started losing my touch by Unreal 🙂

 

I figured this might be the case, I can set the Meraki Client VPN DNS server but I think this comes down to broadcast or mDNS. The Meraki does have bounjour forwarding but based on what is lists out it seems only applies to the normal VLANs and does not apply to VPN VLAN. 

dlevens
Getting noticed

Is it possible for the server running the game locally behind the MX68 to also connect to the VPN, so that both external user and server are on the same VPN VLAN? I tried setting up a connection on the mac server using VPN but it does not connect. I tried with both external domain and MX68 VLAN IP but I get server did not respond. Another thought is I could set the server to a static IP on the VPN VLAN. 

alemabrahao
Kind of a big deal
Kind of a big deal

If the server is on the same network as the MX it is not possible.

 

Are all networks enabled to participate in SD-WAN?

 

IMG_20240317_205822~2.jpg

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
dlevens
Getting noticed

I am not using site to site VPN just Client VPN. The server is behind the MX68 and is getting an IP from the MX

alemabrahao
Kind of a big deal
Kind of a big deal

But you need to enable each subnet behind the MX including the VPN client to receive the routes, even if you don't use SD-WAN, otherwise how do you expect to have the route for your internal network?

 

Enable this and it will work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
dlevens
Getting noticed

Interesting, where would I go to enable this? I believe (could be wrong) that this is on by default as I can ping the users who connect via Client VPN from the server network and vice versa, they can ping the server and the printers and the server can ping them, but broadcast and mDNS do not pass from Client VPN VLAN and local VLAN. 

alemabrahao
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
dlevens
Getting noticed

I am not able to turn on site to site VPN, as I have no other site to connect it to, just a single location with a single MX68 appliance. The users connecting are using home internet and the built in Mac vpn client and I have enabled Client VPN on the MX68. 

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, you are, I have a MX at home and I'm able to use it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

You just need to configure it as a Hub. It's pretty easy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
dlevens
Getting noticed

Screen Shot 2024-03-17 at 6.05.22 PM.pngYou were right, I was able to turn it on using Hub but would get the attached error if I tried with Spoke. However even with Hub on and both my Client VPN and local LAN enabled for use VPN I could still only ping the client and could not view mDNS or any broadcast and could not resolve nslookup. 

alemabrahao
Kind of a big deal
Kind of a big deal

The mDNS is not a VPN configuration.

 

https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
dlevens
Getting noticed

It appears so...

Screen Shot 2024-03-17 at 6.27.48 PM.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels