Hi, I've battled with this issue in the past, and am about to do so again, so wanted to check if I'm doing it the "right" way.
I have a multi-site client with an MX at each site, and a single MPLS connection at each site, that will route all traffic back to HQ.
At HQ, the MX has an internet connection on WAN1 and the MPLS connection on LAN port with static routes.
At the branch, the MPLS connection connects to a cisco router, which then splits the /24 into a /25 and a /29. The /29 is connected to the MX WAN as a Internet connection, and the /25 is connected to the MX LAN with static routes.
All that means that we need additional cisco router, or layer 3 switch with VLAN, but at least it works.
I want to reduce that to simple connect the MX directly to the MPLS, preferably on the WAN, and allow it to get Internet access, and route private IP address space. I think the issues with this are:
1) The MX will NAT the private IP addresses, instead of just routing them and letting the HQ MX do NAT at the Internet gateway
2) The MX requires a working Internet connection on all WAN ports (ping to 188.8.131.52 at a minimum)
What do others do? Is this functionality better in firmware 13/14 ?
1. The MX will NAT any destination address not in its routing table, with the exception of the default route. So you need to include a route for all private IP address in your network on the other side of the WAN port of the branch MX. Traffic to the Internet will be NATed by the branch MX. The only other except would be if you were running the MX in transparent mode ... but you are going to loose a lot of features.
2. The MX must have working Internet connection, so this can be provided via the HQ connection.
There are two common ways of doing this. First use AutoVPN and run a VPN over the MPLS network.
The other is to simply use routes, or tracked routes if you want to be able to fail over to a backup VPN.
Usually to provide SD WAN you would have an MX in one armd mode at HQ. In your environment I would try connecting WAN 2 to MPLS and then it should be fine for all the MX appliances to NAT. The autovpn will form an overlay on the MPLS network. You should not need additional routers. In this setup your MPLS provider will not need any lknowledge of your internal networks, as they will be nat'd via the MXs.
I have the same case, where I would like to run MX devices(hub and spoke), on both I will connect the internet to WAN1 and MPLS(without internet access) directly to WAN2, then form an SD-WAN setup over both links.
This what I will try! I hope it works!
This did not work for me, i am using a pair of MX68 devices where both are connected on WAN1 for Internet and on WAN2 for MPLS.
I could see the tunnel is up on the WAN1, but will never be up on the WAN2, is there a special configuration I need to add?
If the tunnel is not up on WAN2 (so assuming you are using AutoVPN over MPLS) make sure the that the public IP address that the spoke gets NATed to is the same as the public IP address that the HUB is nat'd to when the traffic goes over the MPLS, otherwise it wont work.
Hi @PhilipDAth Actually I am trying to achieve what we have Auto VPN over MPLS and SDWAN:
With the following assumptions:
-Both MX Devices will run in NAT Mode (Not VPN concentrator)
-Both MX Devices will have one leg to MPLS (which has a router splitting traffic to the internet)
-Both MX Devices will be connected to WAN1 to the internet
I cannot get the tunnel on WAN2 up, I am not sure how to configure it.
The WAN2 interface of everything MX, including the DC/head office, needs to get NATed to the same public IP address. If you look in the dashboard, does it report the same public IP address for WAN2 for each MX?
So we got everything set now, and both MX devices see there interfaces as active.
However I am facing an issue with VPN tunnels, when both lines (MPLS and Internet) are up and running, everything works great (eventhough I did not test SDWAN and path selection yet).
However when the Internet line is down at any of the devices, the tunnel would be down and it seems that the Internet1 of the working Internet line is trying to form an IPSEC tunnel to the other MX device over the MPLS link! and it not getting up (that is normal because the MPLS connectivity does not allow traffic from the outside except for Meraki Cloud).
I attached a diagram.