Technical issue with Meraki and other network

593 views
Skip to first unread message

olivernz

unread,
May 7, 2008, 8:15:46 AM5/7/08
to TheFreeNet - Aotearoa
Hi all,

I'm a little lost here. I'm redesigning my network. What I wanted to
do was:

1) Telstra Clear Motorola Modem with fixed IP for uplink
2) Connected to a Switch via Ethernet
3) Connected to the switch is the Meraki and an Airport Extreme Base
Station

The Airport Extreme works like a charm but the Meraki remains in
scanning mode. Why doesn't the Meraki find its way to the Internet?

Cheers Oliver

Roy Davis

unread,
May 7, 2008, 6:09:02 PM5/7/08
to ftnao...@googlegroups.com
It calls 'home' (meraki web services in california) to complete the set up. Chances are it can't talk the meraki webservices for some reason.

Check that it can see your gateway, it's been ages since I set my one up but I don't recall setting an IP address so I assume it received DHCP information from proxy server. In your case I suspect that it would be the air port device, check if that is dishing out DHCP info. the info related to that should be easy to access through the admin console for the airport, else you could turnt eh airport off, and plug in a  computer that is configured to get DHCP info (you might have to flush your DHCP info off any computers you at home ... on windows juust go to the command line and type 'ipconfig /release' not sure about OSX I can't say I have ever had a problem :P

I would assume the DHCP info could be set manually for the meraki device as well, I'm sure there would be info online.

Cheers,
Roy

Roy Davis

unread,
May 7, 2008, 6:16:34 PM5/7/08
to ftnao...@googlegroups.com
Sorry should clarify as the last post didn't makes sense when I re-read it...

- Plugging in a computer with the airport off should fail to connect to the internet, the same behaviour as the meraki device.

- Turn the air port back on so it dishes out DHCP info, the airport might only be dishing out 'client' info i.e. wifi connected laptops. So if the computer (conencted to the switch) failed to connect at this point then the airport is only dealing out client info. Which is probably why the meraki is failing.

- If your computer manages to connect then the Air port is giving out info to all network clients and you might want to start suspecting the meraki device, and perhaps take it to a mates to check on a different network.

Also I'm assuming the switch you are talking about is a switch and not a router that could also be the source of DHCP info.

Cheers,
Roy

Donald Gordon

unread,
May 7, 2008, 6:39:44 PM5/7/08
to ftnao...@googlegroups.com
TCL cable modems aren't routers. TCL only give you one IP address; you
need a router to share it to multiple devices. Your Airport extreme
should be able to do this.

You need to plug the airport extreme into the cable modem directly (as
this seems to be set up), but then plug the meraki into the LAN side of
the airport.

There's no problem with using a switch between the airport and the cable
modem, it's just plugging other things into that switch that's not very
useful.

donald

olivernz

unread,
May 7, 2008, 9:42:12 PM5/7/08
to TheFreeNet - Aotearoa
Ok, I'll try and draw it although you might have given the answer
already.


Internet
|
Cable Modem
|
Switch-------------
| |
Meraki AEBS

The AEBS is connected via the WAN port. So the Meraki has no access to
anything on the AEBS. What I'm trying to do here is to separate the
Meraki out of my network.

Now the Cable Modem does talk about it being able to feed 32 IPs via
DHCP (range 192.168.100.11-42). Although I haven't been able to figure
out how that works as the AEBS doesn't get an address.

I'll do some more Googling then....

Cheers & Thanks for the replie!
Oliver

Donald Gordon

unread,
May 7, 2008, 10:36:24 PM5/7/08
to ftnao...@googlegroups.com
Yes, that's what I thought.

You cannot plug both the Meraki and the AEBS into the cable modem. If
your AEBS only has one ethernet port, marked "WAN", then ... er, things
get interesting. If it has "LAN" ports, plug the meraki into one of them.

You or the TCL installer will have configured the AEBS with the static
IP TCL gave you, which is why it works despite TCL's cable network not
providing DHCP.

The DHCP feature of the cable modem is pretty much useless, ignore it :-)

donald

olivernz

unread,
May 8, 2008, 6:34:37 PM5/8/08
to TheFreeNet - Aotearoa
*ARGH*

I don't want to punch in the Meraki to the AEBS as then the Meraki
opens up access on all devices on the AEBS network. I still haven't
found a documentation/Google as to how I can create a tunnel from the
Meraki to the AEBS. The AEBS doesn't support a DMZ (or similar).

Cheers

Bruce Hoult

unread,
May 8, 2008, 6:58:11 PM5/8/08
to ftnao...@googlegroups.com
On Fri, May 9, 2008 at 10:34 AM, olivernz <oliver....@gmail.com> wrote:
>
> *ARGH*
>
> I don't want to punch in the Meraki to the AEBS as then the Meraki
> opens up access on all devices on the AEBS network. I still haven't
> found a documentation/Google as to how I can create a tunnel from the
> Meraki to the AEBS. The AEBS doesn't support a DMZ (or similar).

Then you're going to need a router to plug both the Meraki and the AEBS into...

Donald Gordon

unread,
May 8, 2008, 7:05:53 PM5/8/08
to ftnao...@googlegroups.com
Of course, if this was an open source platform, it would be trivial for
someone sufficiently skilled in the art to add a "protect my LAN" option
to the firmware...

In fact it should be possible to ssh into the meraki and add an extra
iptables rule to run on startup and make the meraki unable to talk to
the hosts on your LAN other than the router, but there's no guarantee
that'll keep working when the meraki upgrades itself.

The problem is that you want a fairly complex firewall setup, but are
using consumer equipment that doesn't support what you want without some
hacking.

donald

Mike P

unread,
May 8, 2008, 7:09:35 PM5/8/08
to ftnao...@googlegroups.com
The Meraki already has a "protect my LAN" option.  It is turned on for TheFreeNet.
 

Bruce Hoult

unread,
May 8, 2008, 7:12:26 PM5/8/08
to ftnao...@googlegroups.com
On Fri, May 9, 2008 at 11:05 AM, Donald Gordon <d...@dis.org.nz> wrote:
>
> Of course, if this was an open source platform, it would be trivial for
> someone sufficiently skilled in the art to add a "protect my LAN" option
> to the firmware...

But for those not sufficiently skilled in the art, is is cheaper to
pay someone to hack it up for them, or to plonk down $45 on something
like this (assuming it will do it .. it does say DMZ in the blurb):

http://www.ascent.co.nz/productspecification.aspx?ItemI

Donald Gordon

unread,
May 8, 2008, 7:38:25 PM5/8/08
to ftnao...@googlegroups.com
Bruce Hoult wrote:
> But for those not sufficiently skilled in the art, is is cheaper to
> pay someone to hack it up for them, or to plonk down $45 on something
> like this (assuming it will do it .. it does say DMZ in the blurb):
>
The link doesn't work :-)

"DMZ" for most home-small-office routers usually means "redirect all
ports to this IP", which is not what Oliver wants in this case at all.
Yes, calling that feature "DMZ" is just plain wrong, but people seem to
do in anyway.

A reasonable number of community wifi projects seem capable of
attracting people who are sufficiently skilled in the art and happy to
do that sort of thing for free (well, the feature adding to open source
firmware in their copious free time, anyway). Without that, you're just
a bunch of guys hoping that meraki won't have some other drastic
sea-change in their business model that's incompatible with your {
goals, funding model, etc }.

But then I guess if meraki does actually support a protect-your-LAN
feature then there's no problem, this time.

donald

olivernz

unread,
May 8, 2008, 11:07:03 PM5/8/08
to TheFreeNet - Aotearoa
@Mike:
I don't believe so as I can still reach all my clients in the internal
LAN if I plug in the Meraki. So I don't quite know what you man by
"turned on for TheFreeNet".

olivernz

unread,
May 8, 2008, 11:12:52 PM5/8/08
to TheFreeNet - Aotearoa
So that means I always have to have two routers to use a Meraki or at
least a very intelligent router that can route multiple subnets to
operate a safe environment when attaching a Meraki. Sorry but that's
just too expensive.

Pic:

Internet
|
Cable Modem
|
Router------------
| |
Router Meraki
||||
LAN

In the past I've used a PC-Router (i.e. PC with 3 nics and Fli4l) to
route the three. Now I want to reduce my power usage andjust have the
AEBS... In the end I think I'll have to go back to the ols set-up
won't I?

Are all of you who have Merakis hooked up not concerned? Or am I
missing something?

Bruce Hoult

unread,
May 8, 2008, 11:20:06 PM5/8/08
to ftnao...@googlegroups.com
On Fri, May 9, 2008 at 3:07 PM, olivernz <oliver....@gmail.com> wrote:
>
> @Mike:
> I don't believe so as I can still reach all my clients in the internal
> LAN if I plug in the Meraki. So I don't quite know what you man by
> "turned on for TheFreeNet".

It's a setting in the Meraki control panel. See the bottom one here:

http://hoult.org/bruce/dmz.png

Roy Davis

unread,
May 8, 2008, 11:25:54 PM5/8/08
to ftnao...@googlegroups.com

My set up is as follows:

Internet
|
Gateway running ipcop
|                |             |
Switch       DMZ       Meraki
|        |
Wifi   Lan


The gateway PC is an old 150 I rescued from teh rubbish bin 4 years ago and is doing a pretty good job except the hard drive peridioically crashes. IPCop has a built in squid proxy which probably pays for the cost of running the box, the stats say the ~35% of my traffic is serverd from the box, meaning for mu usuage thats around 3-4gb a month. Also since I started using the box we haven't had a single malware or virus get into the flat. Which surprised me when I found out my flatmate refuses to patch his XP machine and keeps the virus software turned off 99% of the time so games run faster.

The gateway has 4 network cards each, each zoned differently. Ther terminiology for IPCop is Green (Lan) , Orange (DMZ), Blue (wifi/meraki) , Red (outside world). 95% of the time I have Blue and Orange turned off though I just use them when I feel like tinkering with things.

Anyway I can have different rule sets and permissions per zone. So I just run with a standard set up with the exception that the blue zone can't talk to the green zone and has several ports disabled. so its very close to a turn-key solution.

Hope that helps.

Roy

Mike P

unread,
May 9, 2008, 12:21:43 AM5/9/08
to ftnao...@googlegroups.com
Its been a while, but I think the default setting for a Meraki out of the box, is "share the LAN". 
 
If you set up a custom network, with "hide the LAN", then it needs to see the Internet/Meraki to download its configuration.
 
~mike

 

olivernz

unread,
May 10, 2008, 10:42:47 PM5/10/08
to TheFreeNet - Aotearoa
Hi Mike,

Ok, this might is my fault. The last time I stuck my Meraki into my
net it could reach local 192.168.xxx.xxx addresses. Now this is
switched off. Do you still remember when you flicked the switch? With
the config like this it's excellent! Much happier here. Now I can take
my Meraki online again. :)

Cheers
Oliver

On May 9, 4:21 pm, "Mike P" <zoomzoom.m...@gmail.com> wrote:
> Its been a while, but I think the default setting for a Meraki out of the
> box, is "share the LAN".
>
> If you set up a custom network, with "hide the LAN", then it needs to see
> the Internet/Meraki to download its configuration.
>
> ~mike
>

Mike P

unread,
May 11, 2008, 6:35:04 PM5/11/08
to ftnao...@googlegroups.com
It was always turned off.  Sounds like it was unable to download its configuration for some reason, and went into some default Meraki configuration.
Reply all
Reply to author
Forward
0 new messages