We have some Regus office space where we would like to install two separate Z3s. The offices can not be covered by a single Z3. We also don't have direct wiring between the offices. Just a generic Internet port. There is most likely a single public IP for NAT. We don't control the local Internet at the site.
Can we have multiple Z3s behind a single Internet / Public IP?
Solved! Go to solution.
@Dan that will work fine. When the Z3's talk out to wherever your VPN concentrator is they will punch unique ports in the NAT of the ISP router. These unique ports will be used to send traffic from the VPN concentrator to each unique Z3.
This document describes how it works.
That shouldn't be an issue.
I would think it's possible. You would need a switch unless the device providing the Internet has a switch on it to split the connection. The only issue I would see is if you are doing VPN Mesh (which I assume you are), It may not like two z3's coming from same dynamic IP address. you would have to test but it may cause issues from that standpoint.
@Brian_Krantz I think this little snippet may help clear up your concern.
Right at the end of the example:
In this example, the Dashboard knows that the two devices can’t form a VPN Tunnel through the same SRC IP address, so it will try the IP addresses of the Interfaces. The routing through the MPLS allows the MX devices to communicate using these Private IP addresses, and the tunnel is dynamically established.
That is helpful info but I don't think it applies to this case. The Z3s in my case will only be connecting over the Internet to a head end MX64 in 1 armed concentration mode. There is no second path over MPLS.
yeah in that case it is probably not possible. You may have to talk to the ISP and get a Second Public. They usually are fairly cheap around $10 a month depending on provider.
Still shouldn't be an issue imo. During the NATting, the ISP router behind which the Z's are will choose a different random source port to be used for both connections to the Meraki VPN registry. Meraki will then be able to allow the MX to connect to both Z's over a different port. That is if the ISP's router is a wellbehaving NAT device.
That is what I am hoping would work. Just trying to see if anyone knows for sure. I guess we could buy some Z3s and test it locally.
@DanZ wrote:That is helpful info but I don't think it applies to this case. The Z3s in my case will only be connecting over the Internet to a head end MX64 in 1 armed concentration mode. There is no second path over MPLS.
@DanZ You can ignore the MPLS stuff in the link I provided. The important part is that the VPN registry recognizes when two MXes have the same public IP, but different private IP's. When that situation occurs the private IP's are used to establish a tunnel.
@jdsilva wrote:@DanZ You can ignore the MPLS stuff in the link I provided. The important part is that the VPN registry recognizes when two MXes have the same public IP, but different private IP's. When that situation occurs the private IP's are used to establish a tunnel.
That's only the case to establish tunnels between those two Z's though! For the tunnels towards the MX my previous post explains what happens (unless the MX is also behind the same IP which it isn't I think).
@BrechtSchamp wrote:
@jdsilva wrote:@DanZ You can ignore the MPLS stuff in the link I provided. The important part is that the VPN registry recognizes when two MXes have the same public IP, but different private IP's. When that situation occurs the private IP's are used to establish a tunnel.
That's only the case to establish tunnels between those two Z's though! For the tunnels towards the MX my previous post explains what happens (unless the MX is also behind the same IP which it isn't I think).
Correct. I was replying to the comment higher up 🙂
I added the quote to clarify.
@Dan that will work fine. When the Z3's talk out to wherever your VPN concentrator is they will punch unique ports in the NAT of the ISP router. These unique ports will be used to send traffic from the VPN concentrator to each unique Z3.
This document describes how it works.
In my scenerio, the private IPs wont be able to communicate to each to establish a tunnel since there is not a private MPLS link. In the example they are describing bringing a tunnel up using those private IPs:
"In this example, the Dashboard knows that the two devices can’t form a VPN Tunnel through the same SRC IP address, so it will try the IP addresses of the Interfaces. The routing through the MPLS allows the MX devices to communicate using these Private IP addresses, and the tunnel is dynamically established."
The device does have a switch. The part I am worried about is the VPN where two Z3s are coming from the same public IP like you said.
Sounds like based on the link above it should not be an issue.