Meraki

Community

MX105 behind another firewall

np
New here
‎Mar 23 2022 12:14 PM
‎Mar 23 2022 12:14 PM

MX105 behind another firewall


I have a question regarding link aggregation.

we are setting up s2s vpn using MX105, which has dual WAN connection.

we are planning to put MX105 behind our company firewall and MX will be using our company owned public IP address space instead of connecting directly to ISP.

since we are planning to use both WAN interface, will MX105 allow as to use two different IP Addresses from same subnet? for example lets say we have 190.100.100.0/24 block which lives on firewall

on mx wan1 - I would assign 190.100.100.10/24 with gateway of 190.100.100.1

on mx wan2 - I would assign 190.100.100.11/24 with gateway of 190.100.100.1 

Would MX105 allow this configuration?

 

if not can we bundle WAN1 and WAN2 in portchannel of some sort and assign single ip address.

 

thanks in advance.

 

let me know if I need to post this question somewhere else.

0 Kudos
4 Replies 4
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 23 2022 12:19 PM
‎Mar 23 2022 12:19 PM

Meraki MXs don't support port-channel and yes the MX will allow you to use IPs from the same subnet.  But what is the point of using both wan interfaces if they will eventually through the same gateway? 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 23 2022 12:19 PM
‎Mar 23 2022 12:19 PM

I haven't tried it, but I don't see why you couldn't connect WAN1 and WAN2 to the same public subnet.  The MX won't care that they are in the same subnet.  It just wants to be able to reach the Internet from them.

 

If you are also AutoVPN this will work fine.  If you are creating a non-Meraki site to site VPN, it will only build from whatever you configure as the primary WAN port, and if that fails, will change over to using the secondary WAN port.  Your remote end would need to be able to support a failover like this.

 

 

You won't be able to form a port channel.

In response to PhilipDAth
np
New here
‎Mar 23 2022 2:52 PM
‎Mar 23 2022 2:52 PM

Thanks for quick response. Let me add more details. we are implementing MX105 as one arm vpn concentrator. I found a documentation https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

look at Appendix-1, which says An MX Security Appliance operating in one-armed concentrator mode sends and receives traffic on a singular interface. This interface will always be the the first Internet or WAN port on the unit. A secondary port is not supported when deployed as a VPN concentrator.

 

Does that mean load sharing using WAN2 interface is out of the picture now.

 

Thanks

0 Kudos
In response to np
Ryan_Miles
Meraki Employee
Meraki Employee
‎Mar 23 2022 3:15 PM
‎Mar 23 2022 3:15 PM

Concentrator mode only uses WAN 1 port  What's the goal with using both WAN ports on the MX? Just LAG/more bandwidth? As Philip mentioned no MX supports LAG. And the MX105 has 10Gbe capable WAN ports.

 

Typically in this design the MX would sit behind your edge FW in a DMZ using a private IP. The FW would have a NAT rule and access rule allowing VPN through it/to the MX.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.