1:1 NAT Failover

Here to help

1:1 NAT Failover

Hi All,


I need to setup 1:1 NAT on an MX250 so that in the event that my primary WAN uplink fails, inbound traffic will NAT via the secondary WAN uplink.


I have read the below guide that illustrates that a secondary NAT rule can be configured for failover using a different uplink, however, this uses a separate public IP address. In my scenario, the ISP will automatically advertise the /29 public IP address block via uplink Internet 2 (using static routes that are advertised into BGP) in the event that the primary internet connections fails. 


Is this possible on the MX? Unfortunately I dont have one available to test this with.





7 Replies 7
Kind of a big deal

Are you unable to use a Virtual IP in this scenario and just connect WAN 1 port on each MX? This would allow you to leave the NAT rules alone. 




No this is not possible as its a single MX



Sorry forgot to mention - I'm only trying to achieve internet resiliency here and not MX appliance resiliency. When the primary internet circuit fails that carries the /29 prefix used for 1:1 NAT, I need that /29 prefix to route to the secondary internet connection, which is possible on the ISPs side, and NAT on the MX.


Essentially I will be duplicating the NAT rules for each uplink but I dont know if this is possible

I see two options.


1. Have the ISP terminate the two ISP connections onto a seperate switch, and then plug that into the WAN1 on your MX.


2. Have the ISP connect to each WAN port of the MX using a /30 stub.  Then route the /29 down one of the links, and in the event of a failure, route it over the other.  This approach is going to require you to have an exceptional ISP, so I would go with option 1.

Hi Philip,


Our ISP has checked and confirmed that option 2 is possible so that is not the issue. The issue is that I'm not sure if the MX will support the same 1:1 NAT rules via both Internet 1 and Internet 2 interfaces. For example, if my public IP block is and public IP NATs to internal via Internet1 during normal operation, then what happens when the ISP detects a failure and routes to Internet2? Can I setup the same NAT rules on both WAN uplinks to support this?


 Thank you

Kind of a big deal

I'm pretty sure you'll need to NAT to a different IP for the WAN 2 rule. Can you go for the other option @PhilipDAth presented so this isn't an issue? 


Yes the MX can support having the same NAT on both WAN links. Here is the info on configuring it:



You simply specify Uplink as Both.

Get notified when there are additional replies to this discussion.