pfSense and meraki z3



  • Good afternoon. My wife has begun working from home and has been provided with a PC and a Meraki z3 box. The connection through the box can't be established as it is connected to my pfSense box. Is there a way to get this Meraki box to "pass through" the pfSense box or a certain firewall rule with port forwarding I need to set?

    Thanks.



  • @wyzard

    It uses IPSec, which will not work through NAT. One work around is to encapsulate IPSec packets in UDP, which will then pass through. Can it be configured for that? Does your ISP provide 2 IP addresses, so that you could connect it directly to the modem?

    Here is some installation info.

    Yet another thing that NAT breaks. The proper solution is to move to IPv6.



  • @wyzard

    One other thing, many companies install VPN software on the staff computers, so they can access the network from anywhere. I'd expect that Meraki box would normally be used only at home.



  • @wyzard

    Here's some more info.



  • I'm fairly new at doing all the settings with pfSense. How would I make changes in pfSense to let this "sneak" through.

    Thanks again.



  • @wyzard

    Here's some more info about UDP ports used.

    I've never used one of these devices, so perhaps someone else here might be able to help.


  • Netgate Administrator

    I find it very hard to believe anything that is intended as a work-from-home type device cannot connect from behind NAT.
    Many, many IPSec connections work just fine behind NAT.

    However that doc site is just giving me a protocol error right now so I can't check it.

    https://www.reddit.com/r/meraki/comments/bj24na/z3_behind_home_router/

    Steve



  • I'm successfully using a Meraki Z3 at home behind pfsense with NAT. To get it working I needed to add a couple of outbound NAT rules to get around an "unfriendly NAT issue". If you have access to the Meraki dashboard for the organisation, you can see if you are getting the same unfriendly NAT issue on the VPN Status screen for your network.

    The fix for me was to add these rules in pfsense:

    • Firewall - NAT - Outbound
    • I set my mode to Hybrid outbound.
    • Add 2 Mappings
      Interface WAN, source Z3_IP or *, udp/ * , Destination *, udp/9350, NAT address WAN Address, Nat port *, Static port Ticked.
      Interface WAN, source Z3_IP or *, udp/ * , Destination *, udp/7001, NAT address WAN Address, Nat port *, Static port Ticked.

    Further reading:
    https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Auto_VPN
    https://docs.netgate.com/pfsense/en/latest/nat/static-port.html



  • @chris147 said in pfSense and meraki z3:

    I'm successfully using a Meraki Z3 at home behind pfsense with NAT. To get it working I needed to add a couple of outbound NAT rules to get around an "unfriendly NAT issue". If you have access to the Meraki dashboard for the organisation, you can see if you are getting the same unfriendly NAT issue on the VPN Status screen for your network.

    The fix for me was to add these rules in pfsense:

    • Firewall - NAT - Outbound
    • I set my mode to Hybrid outbound.
    • Add 2 Mappings
      Interface WAN, source Z3_IP or *, udp/ * , Destination *, udp/9350, NAT address WAN Address, Nat port *, Static port Ticked.
      Interface WAN, source Z3_IP or *, udp/ * , Destination *, udp/7001, NAT address WAN Address, Nat port *, Static port Ticked.

    Further reading:
    https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Auto_VPN
    https://docs.netgate.com/pfsense/en/latest/nat/static-port.html

    Hi Chris.

    I'm new at setting up rules. I have a few questions, if you don't mind:

    1. What option do I choose for source & destination (Any, this firewall or network)?
    2. Do I need to know the IP of the Z3?
    3. Will the source and destination ports be the same? In the further reading you provided it shows the source port as 60032 and the destination as 9350.
    4. Would the source port of 60032 be the same for the 7001 destination port?
    5. How would I determine/know what the destination network is?

    Sorry for all the questions, but quite new at this.

    Thanks for all your help



  • @wyzard

    I'm with @stephenw10 on this. A device intended for use behind a home firewall shouldn't be so difficult to set up. However, in reading that info I provided, I get the impression it's supposed to be used in place of a home router/firewall. This would put it directly on the Internet, avoiding any problems with NAT. Several years ago, I set up something similar, for companies who moved employees to home offices. They had firewall/routers that were intended to be directly connected to the ISP. They also ran IPSec, as that box does. Does you're wife's employer provided VPN software on the computers, as many do?


  • Netgate Administrator

    Yes, you need to know the IP address on the Z3 because you will want to use the as the source IP in your new outbound NAT rules. So you will want to set it as a fixed dhcp lease:
    https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html#static-ip-mappings

    Reboot the Z3 so it pulls the new IP from your static mapping.

    The destination IP can be 'any' or it could be the IP the VPN is connecting to if that is fixed (and you know what it is!)

    The source and destination ports are almost never the same. Leave the source port as 'any' set the destination port to the two ports Meraki are using which seem to be 7001 and 9350.
    You could use a ports alias here with both ports in it. Or you can just add two rules, one for each port.

    Steve



  • @wyzard said in pfSense and meraki z3:

    Hi Chris.

    I'm new at setting up rules. I have a few questions, if you don't mind:

    1. What option do I choose for source & destination (Any, this firewall or network)?
    2. Do I need to know the IP of the Z3?
    3. Will the source and destination ports be the same? In the further reading you provided it shows the source port as 60032 and the destination as 9350.
    4. Would the source port of 60032 be the same for the 7001 destination port?
    5. How would I determine/know what the destination network is?

    Hi,

    As I understand it, pfsense rewrites the source port for udp/9350 and udp/7001 as a security measure to mitigate fingerprinting the hosts behind it, in a way that ISP home routers don't. It doesn't do this for udp/500 by default to allow VPN to work. The two NAT mappings are to have pfsense not rewrite the source ports when NATing traffic on those destination ports.

    1. Source and destination I have set to Type: Any. I guess I shouldn't though, see 2.
    2. You should give your Z3 a reservation in DHCP. Then in the mappings for the source use Type Network and the IP address /32.
    3. I have the source port left blank in the mapping, and destination port as 9350 in one mapping, and 7001 in the other.
    4. I have blank for the source port. Looking at my current state table, the source port is not using 60032 so I guess it changes.
    5. I have the destination set to any. You could ask the IT department for the IPs of the devices the Z3 is connecting to at their end, to lock it down further.

    One other thing, you might have to reset the pfsense states to re-establish everything. In pfsense, diagnostics - states - reset states.

    I'm fairly new to pfsense too, so if anyone has advice on doing this better, please let me know.

    Your wife could ask the IT department what they can see in her Meraki dashboard VPN Status screen. If it's partially working, any error there might help you get the Z3 on line.


  • Netgate Administrator

    Generally it's a bad idea to set outbound NAT rules with source 'any'. You can easily end up catching traffic you didn't want to like traffic from the firewall itself.
    It's better to set the rule as tightly as possible, so only the VPN traffic from the Z3 in this case, but you should at least set the LAN subnet as source there. If you copy the existing IPSec port 500 rule changing only the destination port you should be good.

    Steve



  • @chris147

    My wife's IT department is refusing to help with the issue. So far I'm not able to get out past the pfSense. I know the Meraki is handing out an IP as I connected directly to my laptop (without it being connected to the internet) and got an IP.

    Wondering if i should assign a static IP address to the computer they provided from my wife's work if that would get me around this issue, as that computer doesn't seem to be getting an IP from the Meraki (for whatever reason).

    Any other thoughts and help would be appreciated.

    Thanks.



  • @wyzard said in pfSense and meraki z3:

    Any other thoughts and help would be appreciated.

    If your ISP is like mine, you may have a 2nd IP address you can use. My cable modem is in bridge mode and I can get 2 IPv4 addresses. I normally use 1, but occasionally use the other for testing. Give it a try and see if that happens.



  • @stephenw10 Thanks for the advice, I've cleaned up my rules and combined them into to a single one using a fixed source IP for the Z3 and a port alias. I left the destination address as any because traffic to destination port 9350 goes to a couple of Meraki IPs, which I guess could change. Traffic to port 7001 goes to my workplace.
    Anyway, it's working OK with the single tighter rule.

    @wyzard
    Shame on that IT department.
    As @JKnott said, perhaps it's time to try taking pfsense out of the mix. If you dig out your old ISP router and try that, will her IT department then support getting the PC and Z3 online? Once you have the PC working, then you can re-introduce pfsense.


  • Netgate Administrator

    @wyzard Show us the outbound NAT rules you have right now, get a screenshot.

    Adding the correct rule(s) should be you need there.

    Steve



  • I know bypassing the pfSense box would more than likely get a connection. I appreciate all the help everyone has provided. Would really like to get this working without having to go through the bypassing. Especially since my equipment is in the basement, the house is wired and my wife's office is on the 2nd floor.

    Chris, I entered your suggestions, but so far, no joy. One qestion, how did you clear up your rules and combine them into a single one? What were the settings and how did you do a port alias?

    Thanks.


  • Netgate Administrator

    Using a ports alias allows you to use one rule for a number of ports. 9350, 7001 and 500 for example:
    https://docs.netgate.com/pfsense/en/latest/book/firewall/aliases.html#port-aliases

    If you can give us a screenshot I'm sure we can get this working for you.

    Steve



  • aa38b341-a36c-48c9-938d-3f3a5f846bda-image.png

    3e3a8249-7a7d-4a3c-93cc-82ed03a77214-image.png

    Both rules for 9350 and 7001 ports are the same.

    Also, I'm 95% sure that is the ip address of the device.

    Appreciate all the help.


  • Netgate Administrator

    That looks correct assuming that is the Z3 address.
    Check Status > DHCP leases to be sure.

    You could just set the source as 10.124.31.0/24 to sure it's included. Assuming your internal subnet is a /24 that is.

    We are also assuming they are using ports 7001 and 9350. Check the state table for states from 10.123.31.200 to be sure it is.

    Steve



  • @stephenw10 said in pfSense and meraki z3:
    ...

    We are also assuming they are using ports 7001 and 9350. Check the state table for states from 10.123.31.200 to be sure it is.

    @wyzard For reference, here's a sanitized version of what I'm seeing in my state table when filtered for WAN and ports 9350 and 7001. I see a couple of lines for both ports with different destination IP addresses. You can see that the source port is the same for the Z3 and WAN IPs. Before the NAT mapping was in place, those source ports were different.

    2x
    WAN udp WAN_IP:43830 (Z3_IP:43830) -> MERAKI_DEST_IP:9350
    2x
    WAN udp WAN_IP:43830 (Z3_IP:43830) -> BUSINESS_DEST_IP:7001


  • Netgate Administrator

    Ok, that looks correct. In terms of the ports at least. I would expect that to work as long as the Z3 is actually configured correctly. I assume it is not though?

    Can you get any sort of connection status or logs from anywhere?

    Steve



  • Still no luck. Verified the static IP of the Meraki. Also verified the ports. When I watch the activity it indicates that it's attempting to authenticate, the authentication failed. Still at a loss.

    Again, I appreciate all the help.


  • LAYER 8 Global Moderator

    So you actually validated this thing works when not behind your pfsense..

    Authentication failed could just mean it can't auth with the creds its using.. Are these something you or your wifi put into some gui.. Is it suppose to be you plug it in sort of solution from work and anything behind it is on the vpn?

    but before you actually blame whatever the problem is on something pfsense is or isn't doing - state port mapping for example.. Have you actually validated it works when you take pfsense out of the picture?



  • @johnpoz said in pfSense and meraki z3:

    So you actually validated this thing works when not behind your pfsense..

    Authentication failed could just mean it can't auth with the creds its using.. Are these something you or your wifi put into some gui.. Is it suppose to be you plug it in sort of solution from work and anything behind it is on the vpn?

    but before you actually blame whatever the problem is on something pfsense is or isn't doing - state port mapping for example.. Have you actually validated it works when you take pfsense out of the picture?

    Hi John. Thanks for the response.

    Yes, I have taken pfSense out of the picture and it does authenticate and work.

    It was provided to us from my wife's work and is suppose to be a plug it in sort of solution.

    I'm almost positive it's something that I just don't have right in pfSense.

    Thanks.


  • LAYER 8 Global Moderator

    Well why don't you sniff on pfsense when you connect the thing to see what its trying to do.. Are you using IPS, or pfblocker that could be blocking stuff your not aware of?

    Pfsense out of the box doesn't block anything.. So unless its something odd like its looking for a static port on your outbound nat or something... Which is odd for what say a soho wifi router would be doing..

    Your not behind a double nat are you - pfsense gets a public IP on its wan?



  • Yes, it does get a public IP on its WAN.

    Could the block private networks (RFC 1918 Networks) WAN firewall rule be preventing this from working?

    The funny thing is that her work can "see" the box. But when it tries to get out to authenticate it can't. Not using IPS or pfblocker.

    I pretty much left pfSense "stock", just added a rule to let plex outside my network.


  • Netgate Administrator

    'block private networks' on WAN will make no difference here.

    Try looking at all the open states from the Z3 IP address. It might be trying some other port(s) as well.

    Steve



  • This is extremely frustrating. Nothing that I've tried is letting me connect out using the Meraki.

    I see nothing in open states about the Z3 IP address (although I will admit I am an extreme novice when it comes to pfSense).

    Let's wipe the slate clean and if everyone that has helped so far (and again, thank you all so much for the assistance) can start from step one and what I would need to do (where to put rules, what they need to be, etc. etc.) I'll give this one more college try before throwing in the towel.

    Again, thanks to everyone for their help


  • LAYER 8 Global Moderator

    You shouldn't have to put any rules anywhere.. This should work out of the box!

    So this box gets its "wan" IP from pfsense dhcp, connected to your pfsense lan... Then you put a box behind that..

    Sniff on your pfsense lan for this IP of the Z3 IP, its gets... What do you see it doing.. Or just look in the state table of pfsense.. If your not seeing traffic and states - then its not doing anything!!! So no shit it wouldn't work...



  • Ok, so then why is it working when it's not behind the pfsense box? That is what is confusing.

    As I said, I'm a novice when it comes to pfsense, so how do I "sniff" on my pfsense lan?

    Thanks.


  • LAYER 8 Global Moderator

    Via the diagnostic menu packet capture..

    If your not seeing any states then pfsense didn't see any traffic that were allowed.. Which would make no sense unless whatever it was doing was blocked.. Which would make no sense because your default rules on lan are any any.. Unless you picked to block bogon or something and its trying to go to a bogon IP.. Which should be in the firewall log as blocked, etc. Unless you turned off logging of that..

    Out of the box this should work - your going to have to get some info if you want to try and figure out why its not.. For all we know it never got an IP on its wan?? If your not seeing any states that would make sense, etc. etc.

    Information is key to figuring out why its not working...

    Here is a quick question... What network is your pfsense lan 192.168.X and what is the network this box uses for its lan? It has to be something other than 192.168.x - or yeah your going to have nothing but issues... It needs to be 192.168.Y for example - something different than what pfsense is using for its lan. Then can not overlap or your going to have a bad day - see your trying to do 10.124 for your outbound - are you using 10/8 for your lan? and its also using some 10.x network on its lan?



  • Hi John. Really appreciate your help.

    My pfsense LAN is set to 192.168.x.x The box is set to something different then that. I do have bogon blocked on WAN but not on LAN.

    Are you also saying that an outbound firewall NAT rule(s) should NOT be needed?

    I keep working on it based on your input, so hopefully at some point.


  • Netgate Administrator

    The reason it works behind some other firewall is that most SOHO style so not randomise the source port for NAT'd connections. pfSense does that to increase security and to prevent multiple outbound states all using the same port which could conflict. For some reason the remote Meraki device is unable to cope with more than one source port. 🙄
    https://docs.netgate.com/pfsense/en/latest/nat/static-port.html

    If you don't know what ports it needs then you can just set and outbound NAT rule with static source ports for all connections from the Z3 IP. At least as a test.

    Steve


  • LAYER 8 Global Moderator

    @stephenw10 said in pfSense and meraki z3:

    NAT rule with static source ports for all connections from the Z3 IP. At least as a test.

    Great test for sure!

    But doesn't matter if the random ports on nat were were the problem or not - he still should see states or traffic.. Where you could see what it was doing from a sniff..

    That they would setup some sort of vpn solution that required static port natting seems pretty unthoughtful on where this might or could get deployed.

    But yeah just setting all outbound natting to static would be a simple test if you can not see which ports its actually using via states or a sniff..

    My pfsense LAN is set to 192.168.x.x The box is set to something different then that

    Than what was that 10.124 nonsense for an outbound nat? That would of never done anything. Where did you get the 10.124 address from?

    10124.jpg



  • It seemed to me that the 10.124.x.x was the static IP of the Meraki.

    So here's what I know:

    1. The IT department at my wife's work can "see" the Meraki when it is behind the pfsense. For some reason the Meraki can't get "back" to them.
    2. The PC that is connected to the Meraki is not getting an IP address.
    3. The PC indicates "attempting to authenticate"
    4. It then says "authentication failed".

    From what I can see in the logs on pfsense (states and packet capture) nothing seems out of the ordinary.

    I agree with everyone that this should not be that hard. I my mind should be a simple plug and play. Really not sure what is going on?

    About to call it a TKO



  • @wyzard said in pfSense and meraki z3:

    I agree with everyone that this should not be that hard. I my mind should be a simple plug and play.

    As I mentioned, this appears to be a device intended to replace a consumer router/firewall, not be used behind it. That it works without pfSense shows this. Another thing you could try is put a consumer grade router/firewall ahead of it. If that works, then some investigation may reveal what the problem is.


  • LAYER 8 Global Moderator

    @wyzard said in pfSense and meraki z3:

    It seemed to me that the 10.124.x.x was the static IP of the Meraki.

    Where did you get that from? It wouldn't be able to do anything if that was its IP of its wan, and if that is is lan IP, your outbound nat wouldn't do shit..

    The IT department at my wife's work can "see" the Meraki when it is behind the pfsense. For some reason the Meraki can't get "back" to them.

    If they can see it, then it CAN get back to them..

    The PC that is connected to the Meraki is not getting an IP address.

    Then how would it be saying its attempting to authenticate...

    Answer some basic questions.. from pfsense does it hand out an IP address to this device? If so what is it?

    When you connect a PC to the lan side of it.. lets see the IPconfig /all from this device...



  • @JKnott said in pfSense and meraki z3:

    @wyzard said in pfSense and meraki z3:

    I agree with everyone that this should not be that hard. I my mind should be a simple plug and play.

    As I mentioned, this appears to be a device intended to replace a consumer router/firewall, not be used behind it. That it works without pfSense shows this. Another thing you could try is put a consumer grade router/firewall ahead of it. If that works, then some investigation may reveal what the problem is.

    I agree about it replacing a router/firewall. I don't want to send all my traffic through that though. Not that I have anything to hide, but according to the installation instructions that were sent home with my wife, this should plug into the existing router and work. And, as I said, her IT department is pretty much useless.


Log in to reply