Meraki

Community

Adding MX250 Behind a WatchGuard FW

NCS_Comm
Here to help
‎May 22 2020 11:57 AM
‎May 22 2020 11:57 AM

Adding MX250 Behind a WatchGuard FW

Hello All

We are in the process of switch over to Meraki.

I have our first phase in testing currently for Switches

 

What we are looking to do is add an MX250 Firewall to this phase, and are looking at putting between our Core Switches MX425-32 and our current Watchguard  FW.

The WG is currently set up with several interfaces
2 interfaces are ISP connections ( one main and 2nd as back up if 1st fails- we also use the 2nd connection for guest connections more on that later).
The other interfaces are Gateway static IP's for 3 of our Vlans - these will be moved away from the WG onto the Core switch which will be doing All layer 3.

So the WG will be our main ISP connection which will then connect to the MX250 WAN 1 port.  Wan 2 port on MX250 will be statically assigned and connected to the 2nd slower ISP connection.

 

I have the routing figured out for the main ISP connection for our network between the MX and WG

the WG IP on a trusted interface is 10.75.98.10/29

MX250 has Vlan97 set with IP 10.75.98.14 as its a /29 subnet

Core SW has Vlan97 set with IP 10.75.98.9

MX has reverse route to 10.75.98.9 for required subnets

Core SW has route 0.0.0.0/0 to 10.75.98.10

This should give required Vlans access to the internet via MX then to WG then to ISP and visa vera

 

Now for the 2nd Wan connection, we want to use this as our Guest internet connection
so if someone connections to our Guest WiFi on our AP's they should get an IP address via the Guest Vlan which again is set in the core layer 3 switch ( will set DHCP on the core switch) and then is routed to the MX to use the 2nd Wan ISP connection
this is where I'm getting confused for the routing as we only need the guest VLAN to use the 2nd Wan connection on the MX250

 

Hope I explain clear enough for you 🙂

And thanks in advance for the help /suggestions 🙂 

0 Kudos
5 Replies 5
GaryShainberg
Building a reputation
‎May 22 2020 2:37 PM
‎May 22 2020 2:37 PM

Hi there,

 

This sounds a little confusing, a diagrame would help a lot, however, why do you not just se the WG box as a bridge and move the VLAN's over to the MX and make this your core, primary router - or why use the WG at-all ?

 

For the guest network you can use WAN 2 on the MX for your slower connection and then, on the MX and use flow preferences to route your guest network to WAN 2.

 

But depending on what your actual needs for the guest network are, there are also other options.

 

Hope this helps start the discussion.

CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~
In response to GaryShainberg
NCS_Comm
Here to help
‎May 22 2020 2:44 PM
‎May 22 2020 2:44 PM

Yeh it is a little confusing

hope this helps  - sorry its a quick and dirty drawing

 

NCS_Comm_0-1590183821787.png

 

0 Kudos
In response to NCS_Comm
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 22 2020 4:55 PM
‎May 22 2020 4:55 PM

Use a flow preference to configure which interface is used.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen... 

0 Kudos
In response to NCS_Comm
GaryShainberg
Building a reputation
‎May 23 2020 9:06 AM
‎May 23 2020 9:06 AM

Hi there,

 

Looking at your drawing, I am still unsure why you need to ue the WatchGuard box, it appears superfluous to the solution. Unless I am missing something.

 

Just recreate your vLAN's on the MX which will take about 5 mins and use flows to provide the guests with internet access on the slower connection.

 

There also may be a better way to give guest access to the network and still maintain separation by using a vLAN and a couple of firewall rules to block cross vLAN traffic and with 802.1x authentication or the access control options and a splash page

CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~
0 Kudos
In response to GaryShainberg
NCS_Comm
Here to help
‎May 25 2020 9:07 AM
‎May 25 2020 9:07 AM

Your correct we don't Need the WG but my boss would like to keep it in for Double security
Basically using MX for internal stuff and WG for External...
We have a lot of policies already set up on the WG for flows in /out etc

 

Thanks for the suggestion on flows I will probably look at doing that.

 

All of our Vlans are set up on the core switch ( there are no VLANs set on the WG ) so we need minimal VLANs on the MX - just those for routing traffic between Core and internet.

Our Guests are pushed through a splash page current for access so once they go through the splash page they are given access to the internet.

cheers

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.