Meraki

Community

MX Feature Request - Separate Firewall/SD-WAN Rules for WAN1 and WAN2

Solved
NJNetworkGuy100
Getting noticed
‎Apr 10 2020 8:13 AM
‎Apr 10 2020 8:13 AM

MX Feature Request - Separate Firewall/SD-WAN Rules for WAN1 and WAN2

Put this in as a Make a Wish, but wanted to see if this is something other folks would like to see...

 

A lot of our sites run fast fiber for WAN1 and a much slower coax/cellular/MG as the backup connection on WAN2.  
 
We'd love to be able to set different configurations for the Firewall/SD-WAN settings for WAN2 in case of a failover to the slower backup circuit.  Like blocking video streaming on just WAN2 or prioritizing different traffic or limiting client bandwidth on just the slower circuit.  
 
So, when the WAN failover automatically happens, all the firewall/SD-WAN settings are in place and ready to go for the backup circuit.  
 
Right now, we get the alert that the primary circuit is down, and we have to manually change the rules during the fiber's outage.  
 
 
 
1 Accepted Solution
In response to NJNetworkGuy100
NolanHerring
Kind of a big deal
‎Apr 10 2020 1:17 PM
‎Apr 10 2020 1:17 PM

Just an FYI but if you contact support, you can have them make the 'cellular' firewall rules act as WAN2 firewall rules.

Not actually 100% sure if they function unless WAN2 is the active circuit, as I've only ever used WAN2 as a backup, and not messed with the load-balancing etc. Should be easy enough to test though, just use a <yourIP>/32 and point it to WAN2 and see if it does what you want etc.

I really wish they would break out the rules per interface all the way though.
Nolan Herring | nolanwifi.com
TwitterLinkedIn

View solution in original post

4 Replies 4
ww
Kind of a big deal
Kind of a big deal
‎Apr 10 2020 8:33 AM
‎Apr 10 2020 8:33 AM

Would be nice  to have yes, in case of not using load balancing

 

For now you  could  speed it up  using the api.

 

Other option is  to change  the cellular firewall to use  for wan2 (need to contact support). But thats only L3 fw rules.

 

 

In response to ww
NJNetworkGuy100
Getting noticed
‎Apr 10 2020 10:02 AM
‎Apr 10 2020 10:02 AM

We don't really use load balancing on our MX setups.  This is in case of an outage on our faster and steadier WAN1 fiber connection, and we are forced to send all office traffic over the slower (and more unpredictable) WAN2 connection.

 

We would just love to be able to set different Firewall/SD-WAN rules for each WAN connection when not using load balancing.  And then, when an outage occurs, the rules are already there ready to go.  And when WAN1 comes back up again, the firewall/SD-WAN rules automatically are back to what they should be.    

 

API scripting does help in automating some of this, but we still have to run the script manually.   

 

I had heard about that Cell Failover Firewall option for WAN2...but it limits things with it being only for Layer 3 rules.  

0 Kudos
In response to NJNetworkGuy100
NolanHerring
Kind of a big deal
‎Apr 10 2020 1:17 PM
‎Apr 10 2020 1:17 PM

Just an FYI but if you contact support, you can have them make the 'cellular' firewall rules act as WAN2 firewall rules.

Not actually 100% sure if they function unless WAN2 is the active circuit, as I've only ever used WAN2 as a backup, and not messed with the load-balancing etc. Should be easy enough to test though, just use a <yourIP>/32 and point it to WAN2 and see if it does what you want etc.

I really wish they would break out the rules per interface all the way though.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
In response to NolanHerring
NJNetworkGuy100
Getting noticed
‎Apr 17 2020 5:38 AM
‎Apr 17 2020 5:38 AM

Yeah, I knew about making the "cell firewall rules" for WAN2, but it only affects the Layer3 rules.  Not the SD-Wan or Layer7 rules.  

 

Guess I can hope this a a roadmap feature.  

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.