MX250 and problem having multiple public IP's

Cakes
Here to help

MX250 and problem having multiple public IP's

I'm in the process of converting my firewall from a Fortigate to the MX250. I have 16 public IP address available from my ISP. The WAN 1 uplink has one public IP and I have five 1:1 NAT forwards to various servers so no problem there. The problem is I need to route outbound traffic from different VLANS via different public IP's We are a eduction institution and use a web filtering service that monitors certain public IP's we have to direct web traffic to specific filtering policies. I've talked with Meraki tech support and according to them all I can do is place a switch between my ONT and the MX250. Then program the other WAN uplink with one of the public IP's. But this does not solve my problem as I still have three other VLAN's that route outbound using other public IP's. My Fortigate allowed me route any traffic outbound to whatever public IP I wanted it to have. Any ideas how to do this on the MX250?

8 REPLIES 8
RomanMD
Building a reputation

Unfortunately, there are many more in the same boat, but this can't be done with Meraki MX. 

So, the only way to do it is with a layer3 device in front of the MX which will do some routing and NAT.

cmr
Kind of a big deal
Kind of a big deal

As @RomanMD said this not possible.  Hence why we use a different solution for our enterprise edge at the moment.  The MXs are an excellent SD-WAN solution and public internet termination.

Cakes
Here to help

If you don't mind me asking @cmr what are you using for you enterprise edge solution? Like I said Meraki tech support told me to throw a switch between our firewall and our ONT. The only problem is I know very few switches that will NAT.

cmr
Kind of a big deal
Kind of a big deal

We use Sophos (XG) firewalls for enterprise edge at the moment.  I do like them, but wish their GUI was more like the Meraki one...

JohnT
Getting noticed

It's unbelievable that we still don't have this basic feature yet.  We have a lot of externally hosted services that utilize IP allow-listing and it's getting extremely difficult to manage all of the content blocking on our guest networks. I currently have to use layer 3/7 Firewall and Traffic Shaping rules to block access from guest networks to the publicly hosted services that need to be unavailable to guest networks.

I agree @JohnT this is completely unacceptable. I am in the process of working directly with Meraki's Development Team to get this code available to me and then in the next firmware update. I have worked with FortiGate, SonicWall, FirePower, ASA, pfSense and many other competing products. All of them have the ability to do source NAT. The MX250 is an "Enterprise" class firewall and it's lacking this feature.......this should not be labeled Enterprise class.

JohnT
Getting noticed

@Cakes I would be interested to know if you can get access to this feature.  We are considering leaving Meraki because it's becoming impossible to manage all the silly work arounds.  It didn't seem to be a priority with Meraki so we got a little hopeless.  This would be great news if they are actually going to solve this.

thomasthomsen
Head in the Cloud

This has been on the "wish list" for a long time I think. But nope, we still do not have that feature.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels