Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2182
Views
0
Helpful
4
Replies

Meraki Z1 Not working as expected. Client device still using local network

NeighborGeek
Level 1
Level 1

‎03-29-2017 06:57 AM

We're evaluating a Meraki Z1 teleworker appliance, and so far have found that it's not working as we expected.  Our use case is for staff who work from home on a permanent basis.  They have a company issued computer and phone.  Currently, they are connecting the computer to their home router/wifi and then establishing a VPN connection into our network.  

We would like to connect the Z1 to their home router and the computer & phone to the Z1.  The Z1 should establish a site to site VPN, and tunnel all traffic from the work computer & phone.   The devices connected to the Z1 should have no access to other resources on the home LAN.  Ideally, the computer and phone should get native IP's on our internal network, we don't want them NAT'ed.  

Based on the above, should the Z1 be able to do what we want?

Currently, the Z1 is configured in passthrough mode, and has established a vpn tunnel to a meraki MX64 on our internal network.  We have a client connected to the Z1's wifi, but the client is getting an IP from the user's home router and has full access to the home network.  It seems as if the Z1 is just acting as a wifi AP and dumping all traffic straight onto the home network.  I did see a note in one of the configuration screens stating that the upstream router must have routes configured to send traffic destined for our internal network through the z1, which seems to match the behavior we're seeing, but is definitely not what we want/expect.  

Passthrough mode in the z1 settings is described as: "The security appliance acts as a Layer 2 bridge, and does not modify client traffic.
Configure VPN to enable communication with remote peers."  My expectation all traffic for clients connected to the z1 would pass through the tunnel to our internal network and be routed from there.  Instead, it seems to be sending all traffic for clients to the local network, and then expecting the user's home router to send traffic for our internal networks to the z1.  Am I completely misunderstanding how this should work?  Do we need to use NAT mode, even though we want the client to have a native IP on our internal network?

Thanks!

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-30-2017 07:04 PM

Yes, the Z1 can do what you want.

With regard to WiFi, it can be used to provide access for both a home user and a corporate user.  In your case you only want "Corporate" access.  Following this configuration guide on how to do it.
https://documentation.meraki.com/MX-Z/Wireless/Creating_a_Wireless_Guest_VLAN_on_a_Z1_or_Wireless_Security_Appliance

0 Helpful

richgouette
Level 1
Level 1

‎06-07-2017 06:38 AM

Howdy ,

Say I'm currently looking to do pretty much exactly what you outline in this post.(haven't had my hands on a Meraki unit as yet)

I'm wondering how you're getting on with the Z1, and if it's doing what you wanted..?

Also, I'm curious if you're segregating HTTP traffic , and having the local internet assume those duties..?

Would love to hear your feedback..

Rich

ps. I looked for a PM option, but it looks like that's not available here..

0 Helpful

NeighborGeek
Level 1
Level 1
In response to richgouette

‎06-07-2017 06:58 AM

As usual, we've had lots of other stuff going on, and progress on the Z1 project has been slow. As it stands currently, the Z1 is configured and working, although not exactly how we wanted it initially.  We plan to deploy to our first pilot user (outside of IT) in the next week or so.  

As I said in the original post, the pass-thru mode does not seem to work as we expected based on the description.  We ended up having to configure it in NAT mode to isolate clients from the user's home LAN and force tunneling of all traffic.  The Z1 gets its own subnet, and acts as a DHCP server and gateway for clients.  I'm not the primary person working with the Z1 at this point, but from what I'm told we're going to end up having to configure each Z1 to use a unique subnet, which will make things quite a bit more complicated for us in the long run.  That doesn't seem right to me, but I can't quite place my finger on why.  I'm more of a server guy than a network guy, so I may be missing something. 

I'll try to report back again once we have the pilot user up and running and get an idea of whether it's going to work out for us or not.  

0 Helpful

richgouette
Level 1
Level 1
In response to NeighborGeek

‎06-07-2017 11:21 AM

I'm working on getting my hands on a demo unit asap.

here's hopin!

0 Helpful
Customers Also Viewed These Support Documents