Hi I have a MX84
I have one public IP - lets say x.x.x.1, which I use for internet traffic.
I have a Guest WIFI VLAN - I need to use another public IP for guest traffic - lets say x.x.x.2
How can this be done in Meraki MX devices?
Hi @DrRasmussen
look at the flow preference feature
Hi @DarrenOC
First of all thank you for helping me here.
As I understand WAN1 and WAN2 in the same subnet.
WAN1: A.B.C.1 Gateway A.B.C.X
WAN2: A.B.C.2 Gateway A.B.C.X
Which means that the two WAN's are using same gateway?
Control of which WAN link to be used for guest net is done via SD-WAN & Traffic shaping?
Although you could connect WAN1 and WAN2 of your MX via the same uplink - in which case they would each have an IP in the same subnet - you would normally connect different links to each of WAN1 and WAN2. They would then have their IPs in different subnets. In the Flow preferences for Internet traffic you would add a preference, for the source 'your Guest VLAN', to route that traffic via either WAN1 or WAN2. That traffic will be NAT'ed behind the IP address of the chosen interface.
Hi @GreenMan
What do you mean with "Although you could connect WAN1 and WAN2 of your MX via the same uplink"?
Can I use the same physical interface?
Isn't there a really simple solution here. I don't think I'm the one and only looking into this kind of problems.
/Michael
Hi @DrRasmussen , you generally don’t see WAN1 and WAN2 using IP addresses in the same subnet. I wouldn’t class that as a resilient setup. I think what @GreenMan is saying is that it’s possible however to do that.
Have you taken a read through the flow preferences document? You should be able to identify your source IP subnet ie guest and route that out via WAN1 or WAN2.
Give it a try and test
Thank you all.
I'll look into it.
I rise another questieon. It is my customer who is asking for a setup like this, where guest traffic have a another public source IP address.He said it's for securityr reasons, not to let the public IP be "too public"
Howerever: Is there a best year 2021 practice. Is it nescasarry to seperate guest traffic to another public IP or is it old school?
The MX is licenced for Advanced Security.
Hi @DrRasmussen
Whilst upgrading a lab MX to 16.4 I stumbled across this - sourced based routing which is available in MX's running 15.4 and higher. So you could specify your source subnet/vlan and route that out of your next chosen hop - WAN1 or WAN2
https://documentation.meraki.com/MX/Networks_and_Routing/Source_Based_Default_Routing
Great - thank you. I have just upgraded to version 15.42.
I can't find any configuration examples - and unfortunately I have no lab Meraki device with 2 WAN's her.
My installation is 4 hours drive away - so I have do no configuration mistakes.
Is it possible to place WAN1 and WAN2 in same subnet from ISP - or shall the ISP devide the subnet into two?
Br,
Michael
Hi Michael,
Yes, you can put both WAN connections into the same subnet if you have enough public IP's to do so. Most deployments however would see two separate ISP's for resiliency.
Want some more "dirty workaround" options? 😉
If you can make your client-traffic to come from the same IP (from a PAT-router, AP with Meraki-DHCP, Proxy or something like that) you could configure a 1:1 NAT for this IP.