• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfense won't allow Meraki Access Point VPN thru to main offce

Scheduled Pinned Locked Moved Firewalling
6 Posts 3 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jamo
    last edited by Nov 2, 2016, 6:02 PM

    So my company (company A) see patients at (company B) and needs our network to do so.  We have been using Meraki MR32 access points for some time at company B and use the Teleworker VPN to get back to our network.  Meraki access point VPN contacts the meraki cloud, then directs the AP to our internal VM VPN concentrator.  There is no VPN client in this setup.  any client that can get on the SSID has access back to our network.  This all had been working fine when company B was using an ASA.  They have recently changed ip scopes and switched to a pfense firewall.  After the change my Meraki APs are manageable via the meraki dashboard but they will not connect back to my VPN concentrator.  I have several other home workers who still work just fine on the same setup.

    I worked with company B to allow all TCP/UDP from my AP internal IP and still have no VPN connection back.  These meraki APs work where ever you take them if they are set up for VPN.  There is NO configuration on the source side needed typically.  I'm looking for any assistance or ideas in regards to pfense config to allow this VPN tunnel to connect.

    1 Reply Last reply Reply Quote 0
    • J
      jamo
      last edited by Nov 2, 2016, 7:02 PM

      Here are a couple meraki resources if they shed any light.

      https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Automatic_NAT_Traversal_for_Meraki_Auto-VPN

      https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Auto-VPN

      would pfense need anything on outside to inside established rule?

      1 Reply Last reply Reply Quote 0
      • K
        KOM
        last edited by Nov 2, 2016, 7:03 PM

        Can I assume you've already checked the firewall log on WAN for blocked packets?

        1 Reply Last reply Reply Quote 0
        • J
          jamo
          last edited by Nov 3, 2016, 6:03 PM

          I will say that I worked with company B yesterday while I was troubleshooting and yes we looked at the logs.  It seemed to us that there was really nothing showing in the log once we filtered by the Meraki internal IP.

          1 Reply Last reply Reply Quote 0
          • K
            KOM
            last edited by Nov 3, 2016, 6:52 PM

            OK.  Anything that reaches out of your network first typically does not require any NAT rules.  Unsolicited inbound traffic needs NAT + rules to work.  Perhaps a packet capture on WAN and analysis in Wireshark is next.

            1 Reply Last reply Reply Quote 0
            • I
              Indie_Beef
              last edited by Dec 29, 2016, 3:32 PM

              I have a fresh pfSense firewall with no plugins, all defaults.  I have a Meraki Z1 that was working behind a OpenWRT router.  pfSense was working with an Aruba access point.  My Z1 does not work on my base PFSense install.  It connects to the Meraki cloud however the VPN tunnel is never established.

              Sorry to hijack your thread.  This seems similar to your problem.  Did you come you with a a solution?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received