Guest Net on specific public IP

DrRasmussen
Here to help

Guest Net on specific public IP

Hi I have a MX84

I have one public IP - lets say x.x.x.1, which I use for internet traffic.

I have a Guest WIFI VLAN - I need to use another public IP for guest traffic - lets say x.x.x.2

 

How can this be done in Meraki MX devices?

 

10 Replies 10
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @DrRasmussen 

 

look at the flow preference feature 

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Hi @DarrenOC 

 

First of all thank you for helping me here.

 

As I understand WAN1 and WAN2 in the same subnet.

 

WAN1: A.B.C.1 Gateway A.B.C.X

WAN2: A.B.C.2 Gateway A.B.C.X

 

Which means that the two WAN's are using same gateway?

 

Control of which WAN link to be used for guest net is done via SD-WAN & Traffic shaping?

 

 

 

 

 

 

Although you could connect WAN1 and WAN2 of your MX via the same uplink - in which case they would each have an IP in the same subnet - you would normally connect different links to each of WAN1 and WAN2.   They would then have their IPs in different subnets.   In the Flow preferences for Internet traffic you would add a preference, for the source 'your Guest VLAN', to route that traffic via either WAN1 or WAN2.  That traffic will be NAT'ed behind the IP address of the chosen interface.

Hi @GreenMan 

 

What do you mean with "Although you could connect WAN1 and WAN2 of your MX via the same uplink"?

Can I use the same physical interface?

Isn't there a really simple solution here. I don't think I'm the one and only looking into this kind of problems.

 

 

/Michael

Hi @DrRasmussen , you generally don’t see WAN1 and WAN2 using IP addresses in the same subnet.  I wouldn’t class that as a resilient setup.  I think what @GreenMan is saying is that it’s possible however to do that.


Have you taken a read through the flow preferences document?  You should be able to identify your source IP subnet ie guest and route that out via WAN1 or WAN2.

 

Give it a try and test 

 

A5499CF5-62F9-43AA-97FD-36D7D5BB3A03.png

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Thank you all.

I'll look into it.

 

I rise another questieon. It is my customer who is asking for a setup like this, where guest traffic have a another public source IP address.He said it's for securityr reasons, not to let the public IP be "too public"

 

Howerever: Is there a best year 2021 practice. Is it nescasarry to seperate guest traffic to another public IP or is it old school?

The MX is licenced for Advanced Security.

Hi @DrRasmussen 

 

Whilst upgrading a lab MX to 16.4 I stumbled across this - sourced based routing which is available in MX's running 15.4 and higher.  So you could specify your source subnet/vlan and route that out of your next chosen hop - WAN1 or WAN2

 

https://documentation.meraki.com/MX/Networks_and_Routing/Source_Based_Default_Routing

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Great - thank you. I have just upgraded to version 15.42.

I can't find any configuration examples - and unfortunately I have no lab Meraki device with 2 WAN's her.

 

My installation is 4 hours drive away - so I have do no configuration mistakes.

 

Is it possible to place WAN1 and WAN2 in same subnet from ISP - or shall the ISP devide the subnet into two?

 

Br,

Michael

Hi Michael,

 

Yes, you can put both WAN connections into the same subnet if you have enough public IP's to do so.  Most deployments however would see two separate ISP's for resiliency.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
KarstenI
Kind of a big deal
Kind of a big deal

Want some more "dirty workaround" options? 😉

If you can make your client-traffic to come from the same IP (from a PAT-router, AP with Meraki-DHCP, Proxy or something like that) you could configure a 1:1 NAT for this IP.

 

Get notified when there are additional replies to this discussion.