Exit Hub for specific IP

AnythingHosted
Building a reputation

Exit Hub for specific IP

Hi there, 

 

Been using Meraki for nearly 2 years now and very happy with the kit. 


We have a MX84 in a datacentre with IP a.a.a.a. We have a number of other MX and Z1 in our organisation. Site to Site is working great, however what we would like to do is for specific IP address, b.b.b.b we would like to route all traffic destined for that IP through the MX84. 


For example, a client on network 2 behind a MX65, when they try to access b.b.b.b they appear from the MX84 device and not the IP address of the MX65 WAN. Our client (who runs b.b.b.b) blocks their equipment for public IPs unless in a whitelist. Some of our MX/Z1 are on dynamic IPs, so I am hoping to route through the MX. 

 

I don't want want to route *all* traffic through the MX, only VPN or for b.b.b.b. I've tried creating static routes, but that hasn't worked. 

 

Thanks,

Chris

11 Replies 11
Dashboard_DJ
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@AnythingHosted If I'm tracking with what you're trying to get to, then this should be a fairly simple fix but depends on the AutoVPN posture of your DC MX84. If you go to Dashboard > Select your MX84 Network > Security appliance > Addressing & VLANs, are you running in NAT mode or concentrator? Both are supported AutoVPN roles for a DC deployment, but the way routes are injected into the AutoVPN table for remote MX peers is different.

 

Knowing if it's NAT mode or concentrator should help us guide you towards a solution.

Dashboard_DJ
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Assuming your DC MX84 is in NAT mode, then you would need to add a static route for b.b.b.b/32 on your MX84 appliance under Addressing & VLANs with a next hop of a router/switch connected to one of the local, internal subnets. Make sure you select "in VPN, yes". That will inject the route into the AutoVPN global route table and tell the MX64 peer to send all traffic destined for b.b.b.b tunneled to the MX84 first.

 

LLKXnL3BFk.gif

AnythingHosted
Building a reputation

Hi @Dashboard_DJ

 

Many thanks for the detailed steps below. 

 

I've been able to add the route on the MX84 (the next hop I put as the local IP address of the MX84). However, on the route table screen it is highlighted red with no connectivity. Now also when I remote desktop to a local Windows client of the MX84, the IP for b.b.b.b is inaccessible. When I remove the static route, the Windows client can access b.b.b.b.

 

Have I chosen an incorrect Next Hop IP?

 

Thanks,

Chris

Dashboard_DJ
Meraki Alumni (Retired)
Meraki Alumni (Retired)

The next hop IP should not be the MX84 IP address. It should be the IP address of the "next hop" towards your internal LAN. Essentially the IP address of the device you have the MX connected to on the LAN-side. Most likely a L3 switch interface or router.
RobCampbell
Just browsing

But Meraki does not allow you to put the external gateway as the next hop. It only lets you put IPs within your network.

Owen
Getting noticed

With VPN hubs static routes on the "Addressing & VLAN's" page will route traffic out of a LAN side interface.

 

Static routes on the "Site to site VPN" page in the "local networks" section will route the traffic out of the WAN links on the hub.

RobCampbell
Just browsing

Owen. That is correct, but it does not provide a solution for the Op and myself. I had worked with Meraki support and they said this cannot be done with Meraki equipment and that I should "submit a wish"

I have tried for months to figure out a hack or workaround with no success. To the point where I may need to replace the Meraki firewalls to something that supports it.

Adriano
Here to help

this is a rather old thread. I hope you found a fix.

The way to point a static route to the LAN devices:

- Use a "transit" vlan between your MX and the LAN device (L3 switch)

- Point the static to the L3 switch ip address on that "transit" vlan.

 

Rob-Nuvera
Conversationalist

Although pointing to a L3 switch is likely to work, that requires the purchase of an L3 switch for something that should be a simple route in the MX Meraki dashboard. But thanks for the suggestion. Just not sure it is financially feasible for this one thing.

Bucket
Getting noticed

Its not a solution. Where does it go from the L3 switch? It goes back to the MX. Where does it go from the MX? To the L3 switch. Until TTL reaches 0.

 

Meraki needs to add the ability to create static routes towards the WAN. As long as you can't do that, then there isn't a good solution.

Rob-Nuvera
Conversationalist

That sounds right. I agree they need to just let you make the static routes needed.

 

They do have something called VPN exclusions now that might help in some situations. If only I could figure out a rule to exclude everything except a certain IP. Then it would be doable but a stupid way to do it.

Get notified when there are additional replies to this discussion.