MX as down stream router

Just browsing

MX as down stream router

I'm looking to use a Meraki router downstream in order to subnet our various branch offices that are connected via an MPLS like Private WAN (AT&T ASEoD product). The MX's Internet port is currently connected to a switch and is receiving an IP address that matches the IP scheme of the devices currently on that circuit. Devices behind the MX are able to communicate to devices back upstream in my Primary subnet just fine. However, devices in the primary subnet are unable to reach devices behind the MX. If I attempt to ping a device I see that it is trying to reach the device on the right IP but there is no response. I have a route setup on our primary router that points all requests to the MX subnet to the IP address on the WAN interface.


I feel like this is more a firewall issue more than anything because I setup a Sonicwall device in almost the same exact manner with the same exact results. Except I was then able to on the remote branch Sonicwall create a firewall rule that allowed all connections from any source to come through. Since the WAN port on the branch Sonicwall is connected to a private WAN already it doesn't really need to firewalled, the edge router/firewall is dealing with that.


What do I need to do to allow connections from my primary and for that matter all the other branch subnets to be able to reach devices behind the MX?

3 Replies 3
Kind of a big deal

Your problem is NAT.


By default the MX will NAT all traffic going between WAN and LAN. The MX is not a router, and does not behave as such...  Unless you call into support and get them to enable the very new beta feature No-NAT. You'll have to move to a beta firmware, and get the views enabled in the dashboard, but then you can use the MX as a traditional router.

That was one of the other things I saw and thought about but didn't know how to go around it. I'll discuss with upper management but I don't think a beta firmware needs to be in a production environment 5-6 hours away.


Thanks for the help. 

You could treat it kind of like a router using internal interfaces.  Plug the MPLS into LAN2, then LAN 3 is uplink to the rest of that local branch, then setup routes and IPs associated with that LAN2 port in the Addressing and VLANs page.  This process is pretty manual for sure.  You could then plug the WAN1 port into internet service and let the MX still act as your internet filter and all that good stuff.  


IF you have MXs at both / all sides, you could enable their site to site VPN, over the MPLS circuits or over the internet and it can handle routes for you. 


I'll say for my experience, we were using an MPLS, but really didn't have a need anything but basic connectivity between sites.  After some testing, we ditched MPLS, and each site has a low speed (10-20 mbit) fiber we use as Primary VPN, and a 2nd Coax internet 100 mbit connection we use as Primary internet and fail over VPN as needed.  It was a big cost savings for us!


That's a pretty simplistic sum-up, but maybe that will help set you on a good path.

Get notified when there are additional replies to this discussion.