Hello!
I have an Meraki MX64 and I've just started to separete my network in Vlans. However, I would like to know how I can make an Vlan A to be able to talk to Vlan B.
For exemple:
- my NAS needs to be in a different Vlan from productivity macs so I can block external access to the NAS, however, I want the "PRODUCTION Vlan" to be able to access my NAS.
I think that one solution would be to make the macs part of the two Vlans. But I dont like this ideia, since it seems to be more a bad alternative than an inteligent solution.
Solved! Go to solution.
Thank you very much for your extreme proactivety to help me!
Well, I found the problem. The Macs and swtiches configurations was ok, but I found out that MACs have problems with inter-Vlan connection because they kind of lost DNS direction, when dealing with multi subnets, since they use Bonjour protocol. So the solution was to enable "Bonjuour Forwarding" to every Vlan and every service on Meraki dashboard!!!
"Bonjour forwarding enables interVLAN communication between Bonjour devices and applications on your LAN. Natively, Bonjour functions on a single subnet; Bonjour forwarding removes this limitation by forwarding the multicast DNS traffic between the client and service VLANs as needed."
https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...
https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...
Well, the problem is solved. But I still wonder if adding other DNS configs to every individual MACs can also solve this problem. Thank you everybody!
Hi ,
Please refer to this documentation to create vlans on a MX : https://documentation.meraki.com/MX/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Applia...
By default , inter-vlan routing is enabled and there are no firewall rules blocking the trafic. You might need to check that also : https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...
Thank you for your help!
RaphaelL, I've already created an layer 3 allow rule, but this was not able to allow the comunication between the two Vlans. The rule that I created was this:
outbound:
ALLOW -> any protocol -> 10.0.1.0/24 (vlan A) -> any protocol -> 192.168.0.0/24 (vlan B) -> any port
ALLOW -> any protocol -> 192.168.0.0/24 (vlan B) -> any port -> 10.0.1.0/24 (vlan A) -> any port
Untill now, its not beeing allowed Vlans to see computers in others Vlans, unless the COMPUTER X belongs to the same vlan than COMPUTER Y
Probably It's the Windows firewall, try to disable the Windows firewall.
And unsure that you configured the default gateway on your NAS network settings.
It's not a windows, it's a Mac. 😞
I created the Vlans already, and created the firewall layer 3 outbound rule to allow communication between those subnets through any protocol, but it's still not working. What did I miss?
Check the gateway of the nas and client if its the correct gateway ip,(mx vlan ip) like @alemabrahao suggests.
Also let us know what protocol is used for this session, and how you access it ,by name/ip?
My friend, I forgot to tell. My setup has a Switch manageable no layer 3.
My macs are connected to a switch and then the switch is connected to the Meraki. Maybe this is the problem. Is there a configuration that I need to do? Maybe the switch is not routing the packages correctly between Vlans.
Yes definitely, because you have to create VLAN on the switch and then configure the VLAN on ports, but your switch is not capable to do that.
It's a layer 2 issue. I suggest you read some articles.
https://www.geeksforgeeks.org/virtual-lan-vlan/
Actually my switch allows Vlan creation, but not routing. Its model is SG220-26. The physical port is configured as Trunk and allows all vlans as tagged. Is thre other thing that i need to do?
Have you created the VLANs on switch? Have you configured the access VLAN on ports that client are connected? The switch are configured as a L3 switch or L2 switch? Can you share the switch configuration?
Look at this example:
The MX Is the router, so on the switch L2 you just need to create the VLANs then configure a trunk port between the MX and the Switch, and the access port for your hosts on target VLAN.
Thank you very much for your extreme proactivety to help me!
Well, I found the problem. The Macs and swtiches configurations was ok, but I found out that MACs have problems with inter-Vlan connection because they kind of lost DNS direction, when dealing with multi subnets, since they use Bonjour protocol. So the solution was to enable "Bonjuour Forwarding" to every Vlan and every service on Meraki dashboard!!!
"Bonjour forwarding enables interVLAN communication between Bonjour devices and applications on your LAN. Natively, Bonjour functions on a single subnet; Bonjour forwarding removes this limitation by forwarding the multicast DNS traffic between the client and service VLANs as needed."
https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...
https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...
Well, the problem is solved. But I still wonder if adding other DNS configs to every individual MACs can also solve this problem. Thank you everybody!