We are currently running an MX84 with MX15.x and need to upgrade to MX 16.x.
The MX84's WAN port is connected to the internet. We are currently forwarding traffic on inbound port 443 to a server.
The release notes for the MX16.15 firmware state:
While Meraki appliances have traditionally relied on UDP port 7351 for cloud communication and TCP ports 80 and 443 for backup communications, with MX 16 we are beginning a transition to using TCP port 443 as the primary means for cloud connectivity. In order to ensure proper connectivity to the Meraki cloud after this upgrade, please ensure that traffic using TCP port 443 between 209.206.48.0/20 is allowed through any firewalls that may be deployed upstream of your Meraki appliances.
What does this mean for us since we need to forward port 443 to another server?
I think there are a few possibilities:
- The MX will interpret any traffic on port 443 as being for the MX. This would result in users not being able to reach the server from the internet. At least we would be able to roll back the firmware
- The MX will follow the port forwarding rule and send all traffic inbound on port 443 to the server. In this case, I don't think that we would be able to access the MX through the Meraki cloud service. We wouldn't be able to roll back the firmware and would have to do a factory reset.
- The MX filters the inbound traffic on port 443 with traffic from 209.206.48.0/20 being processed by the MX and all other traffic forwarded per the forwarding rule.
While I assume that the answer is (3), I can't find any discussion of this. If the answer is (1), we could roll back the firmware, but if the answer is (2), then we will lose the ability to manage any of our Meraki devices.
A mitigation for (2) would be to add a router in front of the MX that performs the filtering that is mentioned in (3).
I did see a warning somewhere about losing access to the local status page via the WAN interface if ports 80 and 443 are being forwarded, but it didn't say anything about the cloud services.
Somebody out there has to be using this device with port 443 forwarded to a web server or other type of server. Does anyone know for sure that the MX will filter out traffic from Meraki before forwarding all other traffic according to the port-forwarding rule?