Exit Hub for specific IP

Building a reputation

Exit Hub for specific IP

Hi there, 


Been using Meraki for nearly 2 years now and very happy with the kit. 

We have a MX84 in a datacentre with IP a.a.a.a. We have a number of other MX and Z1 in our organisation. Site to Site is working great, however what we would like to do is for specific IP address, b.b.b.b we would like to route all traffic destined for that IP through the MX84. 

For example, a client on network 2 behind a MX65, when they try to access b.b.b.b they appear from the MX84 device and not the IP address of the MX65 WAN. Our client (who runs b.b.b.b) blocks their equipment for public IPs unless in a whitelist. Some of our MX/Z1 are on dynamic IPs, so I am hoping to route through the MX. 


I don't want want to route *all* traffic through the MX, only VPN or for b.b.b.b. I've tried creating static routes, but that hasn't worked. 




Meraki Alumni (Retired)
Meraki Alumni (Retired)

@AnythingHosted If I'm tracking with what you're trying to get to, then this should be a fairly simple fix but depends on the AutoVPN posture of your DC MX84. If you go to Dashboard > Select your MX84 Network > Security appliance > Addressing & VLANs, are you running in NAT mode or concentrator? Both are supported AutoVPN roles for a DC deployment, but the way routes are injected into the AutoVPN table for remote MX peers is different.


Knowing if it's NAT mode or concentrator should help us guide you towards a solution.

Meraki Alumni (Retired)
Meraki Alumni (Retired)

Assuming your DC MX84 is in NAT mode, then you would need to add a static route for b.b.b.b/32 on your MX84 appliance under Addressing & VLANs with a next hop of a router/switch connected to one of the local, internal subnets. Make sure you select "in VPN, yes". That will inject the route into the AutoVPN global route table and tell the MX64 peer to send all traffic destined for b.b.b.b tunneled to the MX84 first.



Hi @Dashboard_DJ


Many thanks for the detailed steps below. 


I've been able to add the route on the MX84 (the next hop I put as the local IP address of the MX84). However, on the route table screen it is highlighted red with no connectivity. Now also when I remote desktop to a local Windows client of the MX84, the IP for b.b.b.b is inaccessible. When I remove the static route, the Windows client can access b.b.b.b.


Have I chosen an incorrect Next Hop IP?




The next hop IP should not be the MX84 IP address. It should be the IP address of the "next hop" towards your internal LAN. Essentially the IP address of the device you have the MX connected to on the LAN-side. Most likely a L3 switch interface or router.

But Meraki does not allow you to put the external gateway as the next hop. It only lets you put IPs within your network.

With VPN hubs static routes on the "Addressing & VLAN's" page will route traffic out of a LAN side interface.


Static routes on the "Site to site VPN" page in the "local networks" section will route the traffic out of the WAN links on the hub.

Owen. That is correct, but it does not provide a solution for the Op and myself. I had worked with Meraki support and they said this cannot be done with Meraki equipment and that I should "submit a wish"

I have tried for months to figure out a hack or workaround with no success. To the point where I may need to replace the Meraki firewalls to something that supports it.

this is a rather old thread. I hope you found a fix.

The way to point a static route to the LAN devices:

- Use a "transit" vlan between your MX and the LAN device (L3 switch)

- Point the static to the L3 switch ip address on that "transit" vlan.


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.