Meraki

Community

Downstream Router for Segregated Resources

Image_Acquire
Here to help
‎Feb 24 2023 2:05 PM
‎Feb 24 2023 2:05 PM

Downstream Router for Segregated Resources

 

I have recently replaced a patchwork collection of TP-Link routers with a Meraki Go Router Firewall Plus (GX50), a Meraki Go switch (GS110-8), and 4 Meraki Go Wifi 6 Access Points.  Everything is working well so far, and the 4 WiFi access points are giving us a consolidated wireless network available throughout our site.  I am trying to eliminate all the TP-Link routers from the network.  Here's what I'd like to do:

 

I have a TP-Link router currently plugged into one of the LAN ports of the GX50.  This router serves as a downstream network to segregate more sensitive resources that only a subset of users need access to.  The WAN port of the TP-Link I want to replace has an IP of 10.1.10.100 (Subnet Mask 255.255.255.0), and provides DHCP services for its LAN network of 192.168.11.x (Subnet Mask 255.255.255.0).  The TP-Link router also broadcasts a separate WiFi network for the 192.168.11.x LAN network.  I was planning on adding another Meraki Go WiFi 6 access point connected to the LAN port of this other downstream router.  I assumed that I just needed to buy an additional GX50 and add it into the Meraki Go configuration, but the interface says I can only have one GX50.

 

Perhaps I am not conceptualizing this correctly.  How can I accomplish this, or do I just need to leave the TP-Link router in place because it can't be done with the Meraki Go hardware? 

4 Replies 4
hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Feb 27 2023 1:03 PM
‎Feb 27 2023 1:03 PM

Hello @Image_Acquire 

 

I like the project! Your approach is correct, in my opinion. We simply did not intend for someone to use two GX devices within the same physical network, but if your desire is to physically segment a network (and not just rely on L3 firewall rules) you have the right idea. 

 

To configure a second GX, you need to leverage multi-site, or in essence set up a new "site" for your second GX. You can then provision and configure the second GX as you see fit. Here are the instructions on how to do so:

https://documentation.meraki.com/Go/Features/Managing_Multiple_Sites_with_Meraki_Go#Create_New_Site

0 Kudos
In response to hidden0
Image_Acquire
Here to help
‎Feb 27 2023 3:17 PM
‎Feb 27 2023 3:17 PM

Thank you.  The more I think about this, I'm wondering if I can also use a second VLAN for the 192.168.11.x network.  If I do so, should machines on the 192.168.11.x network be able to get to printers with an IP address on the 10.1.10.x network?  I tried this with my second GX50, and the machine I used on the 192.168.11.x network couldn't seem to ping or tracert to the 10.1.10.x network.  Any thoughts on what I need to do to make that work?  The other question is if I setup the client VPN on the GX50, should a machine connected through the VPN be able to get to both the 10.1.10.x network resources and the 192.168.11.x resources?

0 Kudos
In response to Image_Acquire
hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Feb 28 2023 8:21 AM
‎Feb 28 2023 8:21 AM

Good mornin @Image_Acquire

You can consolidate to a single GX and create a new VLAN that used to exist on the TP-Link router, that should be fine. Devices on VLAN A could get to devices on VLAN B. For example:

 

Your' current GX50 could hold VLAN X (where X is just your VLAN ID) with network 192.168.11.0/24, GX IP at 192.168.11.1. It could have a second VLAN Y that is 10.1.10.0/24 with the GX IP at 10.1.10.1. In this setup, so long as the secure network toggle is set to false, the devices should be allowed to communicate to each other on the LAN.

 

If you want the two GX setup, the GX50 that is downstream of the GX50 connected to the internet will act as a firewall (which is good news) and block unsolicited inbound connections to the 10.1.10.x network. Devices on the downstream GX50 could initiate connections upwards just fine (i.e. 10.1.10.50 pings 192.168.11.20 would work), but connections coming into the 10.1.10.x network are blocked unless a port forwarding rule exists.

 

Finally, if you setup client VPN on the downstream GX50 - the connecting client devices should, in theory, be able to reach both the 10.1.10.x and 192.168.11.x networks. If you configure client VPN on the upstream GX50, it would be able to access the 192.168.11.x network, but be blocked by the downstream GX50 that holds the 10.1.10.x network (unless a port forward rule existed for it).

 

Was the TP-Link router just routing? If that was the case, it probably would have let traffic through without a second thought, which would be the primary difference between the TP-Link and the GX.

0 Kudos
Xydocq
A model citizen
‎Feb 28 2023 8:08 AM
‎Feb 28 2023 8:08 AM

I run the same setup you described on different locations.

 

The resources connected directly to the downstream router are available to the computers connected to the second router. But not the other way around.

 

the second router is part of the network the downstream router creates. Any request sent to the second router is a request from the "internet". They are blocked by the firewall and won't go thru.

 

The thing to do, place the network you want to hide behind the second router and the one you want to have access to to the downstream router.

 

Creating two VLANs on one router will also work. But then acces from and to the other vlan is possible.

0 Kudos
Get notified when there are additional replies to this discussion.
© 2024 Cisco Systems, Inc.