Not a Network Admin here, so if there are fundamentals I am missing forgive me.
I spoke with Meraki support last week and learned that you cannot effectively use two MX’s to extend a subnet between two separate sites as the tunnel in Passthrough mode does not pass all of the traffic like DHCP.
I mentioned that the MR AP’s *can* seemingly do this, as devices that connect to them can get an ip from dhcp of a remote site. (This is how our home users operate)
The rep confirmed that despite using the same terms (autovpn), that is where the similarities end. The tunnels are different between an AP/MX and MX/MX.
I asked if I could use an AP like a MR52 and the passthrough port along with port profiles to attach a device physically to the AP and piggyback off the tunnel to get a dhcp address on that wired device. Rep confirmed yes.
This is where I am stuck, I can get a device on wireless to get a dhcp address but not from the passthrough port/port profile port.
Been on with support for hours today getting pcaps but so far no luck.
Edit: After re-reading the Meraki Documentation, it confirms this is possible at the very bottom on their graphic.
Edit 2: SOLVED! Documenting in case anybody else comes across this.
I found a section in the above documentation that lists Port Profiles are mutually exclusive with Port Aggregation for 2-port APs.
We don’t use aggregation but Port 1(PoE+Uplink) was enabled for Aggregation and Port 2 was disabled.
I disabled aggregation on Port 1 and now the passthrough is working correctly.
I can even use an unmanaged switch to attach multiple wired devices to a single passthrough port on an MR52.
Sorry, but you don’t understand how Layer 3 works. You’re thinking of the Internet or WAN in Layer 2 terms.
Unless you use exotic technology, or very simple metro Ethernet, you can only have a subnet in one location. The gateway address is at one site and everything in that subnet is at that site on that LAN.
You can remote to distant DHCP servers, file servers, etc, but the subnet is only at one location.
You may have to back up a minute and explain / consider why are you trying to even extend a vlan across multiple sites? This is not only very challenging as you’re finding but also going to be unstable and vulnerable to failures. There are very few valid reasons to do this and even fewer reasons to make it worth your time.
That may be the case, I wouldn’t be surprised if I’m just lacking knowledge.
But if this is the case, how does it work for wireless devices on the AP? We give them to everybody that works remotely and their laptops and phones grab IPs of the home office.
Why does it only break down when we try to attach a wired device to the equation?
Temporary new location. Half of an office moving over and creating a new subnet with our software vendor is quite the endeavor. Printers and such they have to build with a set ip need rebuilt as well then.
Not saying it’s impossible just looking at easier alternatives since it’s not a permanent site.
We do have another free MX but I couldn’t figure out a way to use them to extend the subnet. Two support reps said it couldn’t be done with MX’s as well.
The meraki firewall pages are set to allow all. connecting to the MR wirelessly gets me on the LAN currently, once I connect via ethernet to the port profile port it just sits at unidentified network and an autoconfig address.
Are you doing the wireless tunneling/concentrator function? I’m guessing yes if people are getting office IPs while connected to the AP at home.
It’s probably just some edge use case the developers never implemented. I can’t find any caveat explicitly calling it out, but I wouldn’t be surprised if the answer is just “that doesn’t work right now”
I gotcha, we did something similar recently where we moved offices down the street and they wanted the same network in both places temporarily. Both offices had fiber to a common Datacenter so we extended the vlans that way with 9300 switches didn’t use the mx’s. If you have any switches under the mx that can do layer 3 they may be able to stretch the vlan over the vpn tunnel?
Correct. Wireless tunneling to an on-site concentrator.
Things seem to point to “it should work” but so far no luck. Thanks for looking as well though, its easy to miss things.
We use MS225 switches but the new site will be getting its own circuit and not connecting back to the others. Doing this like you did with switches probably won’t work then right?