Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfense won't allow Meraki Access Point VPN thru to main offce

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jamo
      last edited by

      So my company (company A) see patients at (company B) and needs our network to do so.  We have been using Meraki MR32 access points for some time at company B and use the Teleworker VPN to get back to our network.  Meraki access point VPN contacts the meraki cloud, then directs the AP to our internal VM VPN concentrator.  There is no VPN client in this setup.  any client that can get on the SSID has access back to our network.  This all had been working fine when company B was using an ASA.  They have recently changed ip scopes and switched to a pfense firewall.  After the change my Meraki APs are manageable via the meraki dashboard but they will not connect back to my VPN concentrator.  I have several other home workers who still work just fine on the same setup.

      I worked with company B to allow all TCP/UDP from my AP internal IP and still have no VPN connection back.  These meraki APs work where ever you take them if they are set up for VPN.  There is NO configuration on the source side needed typically.  I'm looking for any assistance or ideas in regards to pfense config to allow this VPN tunnel to connect.

      1 Reply Last reply Reply Quote 0
      • J
        jamo
        last edited by

        Here are a couple meraki resources if they shed any light.

        https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Automatic_NAT_Traversal_for_Meraki_Auto-VPN

        https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Auto-VPN

        would pfense need anything on outside to inside established rule?

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Can I assume you've already checked the firewall log on WAN for blocked packets?

          1 Reply Last reply Reply Quote 0
          • J
            jamo
            last edited by

            I will say that I worked with company B yesterday while I was troubleshooting and yes we looked at the logs.  It seemed to us that there was really nothing showing in the log once we filtered by the Meraki internal IP.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              OK.  Anything that reaches out of your network first typically does not require any NAT rules.  Unsolicited inbound traffic needs NAT + rules to work.  Perhaps a packet capture on WAN and analysis in Wireshark is next.

              1 Reply Last reply Reply Quote 0
              • I
                Indie_Beef
                last edited by

                I have a fresh pfSense firewall with no plugins, all defaults.  I have a Meraki Z1 that was working behind a OpenWRT router.  pfSense was working with an Aruba access point.  My Z1 does not work on my base PFSense install.  It connects to the Meraki cloud however the VPN tunnel is never established.

                Sorry to hijack your thread.  This seems similar to your problem.  Did you come you with a a solution?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.