Client VPN redirect their internet to WAN2

ShadowoftheD
Here to help

Client VPN redirect their internet to WAN2

Hi,

 

 

Is there a way to redirect Client VPN's users to WAN2?

 

Right now, they're connecting via WAN1 and I want to redirect their outgoing internet to WAN2. WAN1 is getting oversubscribed due to the huge influx of WFH users and i want to redirect some of the traffic to WAN2. 

 

I'm not sure but is it just via Traffic Shaping and adding my client vpn subnet? Would this cause some assymetrical routing?

 

Thanks

3 Replies 3
T-800
Here to help

WAN1 = 1.1.1.1

WAN2 = 2.2.2.2

Main Subnet = 10.1.1.0/24

VPN Subnet = 10.2.2.0/24

 

1. In "SDWAN and Traffic Shaping" under "Flow preferences" make the primary interface the one you'd like to use for Client VPN. This lets say it is WAN2. (Remember that this will now make the Client VPN connect to 2.2.2.2)

 

2. Make an ANY/ANY/ANY traffic shaping rule so that traffic will prefer WAN1. 

 

3. Make a 2nd rule that allows ANY traffic with source of 10.2.2.0/24 with destination of 0.0.0.0/0 to prefer WAN2. 

 

That should work. You might also want to make a traffic shaping rule so that "localnet:10.2.2.0/24" is shaped to a per client throughput if you are "full tunneling" your traffic. 

 

-T800 

ShadowoftheD
Here to help

WAN1 = 1.1.1.1

WAN2 = 2.2.2.2

Main Subnet = 10.1.1.0/24

VPN Subnet = 10.2.2.0/24

 

 

Thanks. although I'd rather not touch the way they connect via vpn (via WAN1) since that woulld mean reconfiguring 80+ users again lol. 

 

3. Make a 2nd rule that allows ANY traffic with source of 10.2.2.0/24 with destination of 0.0.0.0/0 to prefer WAN2. 

 

If i apply this only and they still connect via WAN1, would that be fine?

 

 

That should work. You might also want to make a traffic shaping rule so that "localnet:10.2.2.0/24" is shaped to a per client throughput if you are "full tunneling" your traffic. 

 

 

I'm sorry could you explain "full tunneling?

 

Thanks

That should work. You might also want to make a traffic shaping rule so that "localnet:10.2.2.0/24" is shaped to a per client throughput if you are "full tunneling" your traffic. 

T-800
Here to help


@ShadowoftheD wrote:

 

 

If i apply this only and they still connect via WAN1, would that be fine?

 

That would be Asymmetric. Traffic enters WAN1 and exits WAN2. It would be better to set ANY/ANY/ANY rule for WAN2 and allow VPN Clients to use WAN1 for and "everyone else" to use WAN2. If you have two quality internet links this won't be a problem. However, if WAN2 is 7/1 DSL then this won't be an option. 

 


@ShadowoftheD wrote:

 

I'm sorry could you explain "full tunneling?

 


Meraki VPN makes ALL client traffic go through the MX device. This means if user is watching YouTube instead of working, they are wasting your bandwidth. So for Client VPN users, limiting their bandwidth or might be necessary if you don't have strict policies in place for your network. 

 

You can use split tunneling pretty easily with powershell scripting and Windows 10. 

 

See this thread to look into implementation of Split Tunneling. (Thanks so much to @Nash for that script!)

 

-T800

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels