2 firewalls in 1 public /24 subnet

hmc250000
Getting noticed

2 firewalls in 1 public /24 subnet

We have 2 firewalls (1 sonicwall and 1 MX Meraki) and we have tried configuring port forwarding rules for some of our web servers on each firewalls. However the port forwarding rules on the Meraki MX do not work but they do work on the sonicwall. 

 

I'm wondering how will the traffic know to which firewall to go to get to the destination web server? 

 

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

7 REPLIES 7
BlakeRichardson
Kind of a big deal
Kind of a big deal

I don't quite understand, do you have two firewalls one behind the other? So your double NATing or have I misread?

 

Port forwarding is very simple and I have found it just works. I've found port forwarding on Sonicwall more difficult unless you use the wizard. 

They will both respond with their own MAC address to the ARP query for the public IP address.  It is likely to result in things breaking.

DarrenOC
Kind of a big deal
Kind of a big deal

I’m with @BlakeRichardson on this one. Port forwarding on the MXs simply works.  We’ve not long replaced a customers firewall infrastructure from Sonicwall to Meraki with no issues.

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Sorry no, not one behind the other. They are parallel to each other. 

 

I'm not saying port forwarding does not work on Meraki however in this scenario could there be any issues?

KarstenI
Kind of a big deal
Kind of a big deal

Are both firewalls using their own IP addresses for the port forwarding? You can not forward ports of the same IP on different devices,

cmr
Kind of a big deal
Kind of a big deal

I may be wrong, but I think @hmc250000 has the Sonicwall and MX in parallel.  In guessing you have public IP x.y.z.1 assigned to the Sonicwall and x.y.z.2 assigned to the MX, no problem with this.

 

If the LAN side of each firewall is completely different then you should be able to port forward on both firewalls to separate subnets internally.

 

However, I believe you have both connected to the same LAN and the Sonicwall's LAN interface is the default gateway, this means everything works there.  The MXs LAN interface is in the same internal subnet so inbound packets will get to your internal devices, but the return packets will come out through the Sonicwall leading to them being dropped (as they don't correspond to an incoming connection on that device).

 

If you want to have both, I think you have to separate out the LANs, unless someone else knows a better solution...?

hmc250000
Getting noticed

Yes, it is working fine on the sonicwall however. And fyi it is because of the limitations of the site to site VPNs between Meraki and non Meraki peers that we still have the sonicwall on our network. 

 

Aren't the Meraki MX's doing stateful inspection? I believe that keeps track of incoming and outgoing sessions something like that.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels