Meraki MX65

teanes · January 16, 2017, 5:18pm

Has anyone successfully connected their PBX through a Meraki device such as an MX65 Security appliance?
I’m running into issues with voice traffic being blocked on multiple phone scenario, but the first phone connected will work properly.
I’ve looked at creating 1 to many NAT rules to ports 5060 from the public IP, but nothing is working.

Thanks

cynjut · January 16, 2017, 6:49pm

Not nearly enough information to help you. There are so many questions about your installation that I can’t even decide where to start. How about starting with a version number and some more network information.

teanes · January 16, 2017, 8:27pm

My apologies for that. My intent was to find those who have had direct experience with the Meraki MX65 unit in particular, so as not to waste anyone’s time on rabbit chases.

We have a working PBX with about three hundred extensions. We are going to be providing service to a sister location in an off-site location which has an MX65 as it’s network firewall.

I’ve begun testing an identical setup to provide POC before implementation. It is in this testing that I’ve encountered the issue I mentioned above. I’m fairly certain that the issue is in the firewall because everything works as normal without it in place.

If anyone has experience with the MX65 or any Meraki cloud equipment, I’d appreciate any advice you could offer on setup or rules configuration.

Asterisk: 11.17.1
FreePBX: freepbx-2.11.0beta2

mabbaticchio · January 16, 2017, 8:52pm

I tried on a Meraki MX80 and had no luck. Decided to go the hosted route so I did not spend too much time on it. The same internal pbx worked fine when using my Peplink as the firewall with SIP ALG turned off so something with Meraki was not compatible.

teanes · January 16, 2017, 8:54pm

Ok, thanks Marc!

I’m starting to get the feeling that this might be a dead end with the Meraki and SIP.

mabbaticchio · January 16, 2017, 9:03pm

Call Meraki, they will be happy to sell you a phone system…LOL. It will cost about a million dollars over 10 years.

sippy · January 16, 2017, 9:04pm

Have you tried setting up VPN site to site? Other options are to set up firewall rules to allow ALL traffic from the other site (both ends) ONLY, and specifically the IAX port 4569 Specify the source IP so you don’t open up the whole world to these ports.

IPTABLES example:

IAX2- the IAX protocol

iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

RTP - the media stream

(related to the port range in /etc/asterisk/rtp.conf)

iptables -A INPUT -p udp -m udp --dport 10000:20000 -j

teanes · January 16, 2017, 9:16pm

Good ideas Sippy. I’ll look into the VPN and firewall rules.

Thanks

teanes · January 16, 2017, 9:16pm

Yep, you got that right

YMDLTD · January 23, 2017, 2:33pm

we use Meraki MX64’s and they work fine, Had to allow the remote network in the PBX firewall and in the advanced settings for SIP

teanes · January 23, 2017, 3:59pm

The problem I seem to be having is that the MX65 is blocking UDP traffic back in from the external address of the PBX.
I’ve experimented with 1:1 and 1:Many NAT settings, but so far no luck.

NadmanET · January 24, 2017, 3:58am

I use Meraki and FreePBX quite extensively and assure you your problem can be solved.

If I understand you correctly, you have a primary site where there is a FreePBX server and all clients are currently located there. You’re standing up a new site (with the Meraki MX) and you want users there to have VOIP services hosted by the PBX at the primary site.

There are a couple approaches here but I’d argue you should just create a VPN tunnel between the two sites. Meraki makes that super easy, especially if the other site has an MX and they’re in the same organization. What kind of firewall is at the primary site? Are you comfortable setting up VPN tunnels?

bksales · January 24, 2017, 5:01am

The bad news is that Cisco recommends using VPN. Another option, if you are insistent on keeping the meraki is to put in an Edgemarc SBC and put the meraki behind it. If you have 2 static IPs configure the wan of the Edgemarc with one and then setup the Edgemarc proxy arp with the second and set the wan of the Meraki with the second public up and connect the wan interface of the meraki to any Edgamarc lan port. This way the traffic shaper on the SBC will be able to manage both voice and data. Connect the phones to the Edgemarc and all data equipment to Meraki

YMDLTD · January 24, 2017, 4:46pm

LAN to LAN VPN was the solution for us. Works extremely well.

teanes · January 24, 2017, 5:01pm

Yes, you’re correct on the topology. I will investigate the VPN tunnel solution. I’m currently trying to acquire another MX65 to complete this with.

Thanks!

teanes · January 24, 2017, 5:02pm

Thanks for the suggestion. This seems to be the consensus and I look forward to seeing how it works. I will update when I have completed testing.

Thanks all for the great FreePBX Community support!

NadmanET · January 24, 2017, 6:41pm

Your Meraki rep will usually be happy to overnight you trial gear which you can keep (and pay for) or send back after a month. Meraki auto-VPN is about as easy as VPN gets. You’ll also want to enable traffic shaping such that your VOIP traffic gets prioritized. These articles should help:

PDF Whitepaper: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings

Traffic Shaping: