We are in the process of switch over to Meraki.
I have our first phase in testing currently for Switches
What we are looking to do is add an MX250 Firewall to this phase, and are looking at putting between our Core Switches MX425-32 and our current Watchguard FW.
The WG is currently set up with several interfaces
2 interfaces are ISP connections ( one main and 2nd as back up if 1st fails- we also use the 2nd connection for guest connections more on that later).
The other interfaces are Gateway static IP's for 3 of our Vlans - these will be moved away from the WG onto the Core switch which will be doing All layer 3.
So the WG will be our main ISP connection which will then connect to the MX250 WAN 1 port. Wan 2 port on MX250 will be statically assigned and connected to the 2nd slower ISP connection.
I have the routing figured out for the main ISP connection for our network between the MX and WG
the WG IP on a trusted interface is 10.75.98.10/29
MX250 has Vlan97 set with IP 10.75.98.14 as its a /29 subnet
Core SW has Vlan97 set with IP 10.75.98.9
MX has reverse route to 10.75.98.9 for required subnets
Core SW has route 0.0.0.0/0 to 10.75.98.10
This should give required Vlans access to the internet via MX then to WG then to ISP and visa vera
Now for the 2nd Wan connection, we want to use this as our Guest internet connection
so if someone connections to our Guest WiFi on our AP's they should get an IP address via the Guest Vlan which again is set in the core layer 3 switch ( will set DHCP on the core switch) and then is routed to the MX to use the 2nd Wan ISP connection
this is where I'm getting confused for the routing as we only need the guest VLAN to use the 2nd Wan connection on the MX250
Hope I explain clear enough for you 🙂
And thanks in advance for the help /suggestions 🙂
This sounds a little confusing, a diagrame would help a lot, however, why do you not just se the WG box as a bridge and move the VLAN's over to the MX and make this your core, primary router - or why use the WG at-all ?
For the guest network you can use WAN 2 on the MX for your slower connection and then, on the MX and use flow preferences to route your guest network to WAN 2.
But depending on what your actual needs for the guest network are, there are also other options.
Hope this helps start the discussion.
Use a flow preference to configure which interface is used.
Looking at your drawing, I am still unsure why you need to ue the WatchGuard box, it appears superfluous to the solution. Unless I am missing something.
Just recreate your vLAN's on the MX which will take about 5 mins and use flows to provide the guests with internet access on the slower connection.
There also may be a better way to give guest access to the network and still maintain separation by using a vLAN and a couple of firewall rules to block cross vLAN traffic and with 802.1x authentication or the access control options and a splash page
Your correct we don't Need the WG but my boss would like to keep it in for Double security
Basically using MX for internal stuff and WG for External...
We have a lot of policies already set up on the WG for flows in /out etc
Thanks for the suggestion on flows I will probably look at doing that.
All of our Vlans are set up on the core switch ( there are no VLANs set on the WG ) so we need minimal VLANs on the MX - just those for routing traffic between Core and internet.
Our Guests are pushed through a splash page current for access so once they go through the splash page they are given access to the internet.