Been using Meraki for nearly 2 years now and very happy with the kit.
We have a MX84 in a datacentre with IP a.a.a.a. We have a number of other MX and Z1 in our organisation. Site to Site is working great, however what we would like to do is for specific IP address, b.b.b.b we would like to route all traffic destined for that IP through the MX84.
For example, a client on network 2 behind a MX65, when they try to access b.b.b.b they appear from the MX84 device and not the IP address of the MX65 WAN. Our client (who runs b.b.b.b) blocks their equipment for public IPs unless in a whitelist. Some of our MX/Z1 are on dynamic IPs, so I am hoping to route through the MX.
I don't want want to route *all* traffic through the MX, only VPN or for b.b.b.b. I've tried creating static routes, but that hasn't worked.
@AnythingHosted If I'm tracking with what you're trying to get to, then this should be a fairly simple fix but depends on the AutoVPN posture of your DC MX84. If you go to Dashboard > Select your MX84 Network > Security appliance > Addressing & VLANs, are you running in NAT mode or concentrator? Both are supported AutoVPN roles for a DC deployment, but the way routes are injected into the AutoVPN table for remote MX peers is different.
Knowing if it's NAT mode or concentrator should help us guide you towards a solution.
Assuming your DC MX84 is in NAT mode, then you would need to add a static route for b.b.b.b/32 on your MX84 appliance under Addressing & VLANs with a next hop of a router/switch connected to one of the local, internal subnets. Make sure you select "in VPN, yes". That will inject the route into the AutoVPN global route table and tell the MX64 peer to send all traffic destined for b.b.b.b tunneled to the MX84 first.
I've been able to add the route on the MX84 (the next hop I put as the local IP address of the MX84). However, on the route table screen it is highlighted red with no connectivity. Now also when I remote desktop to a local Windows client of the MX84, the IP for b.b.b.b is inaccessible. When I remove the static route, the Windows client can access b.b.b.b.
The next hop IP should not be the MX84 IP address. It should be the IP address of the "next hop" towards your internal LAN. Essentially the IP address of the device you have the MX connected to on the LAN-side. Most likely a L3 switch interface or router.
Owen. That is correct, but it does not provide a solution for the Op and myself. I had worked with Meraki support and they said this cannot be done with Meraki equipment and that I should "submit a wish"
I have tried for months to figure out a hack or workaround with no success. To the point where I may need to replace the Meraki firewalls to something that supports it.