I'm in the process of converting my firewall from a Fortigate to the MX250. I have 16 public IP address available from my ISP. The WAN 1 uplink has one public IP and I have five 1:1 NAT forwards to various servers so no problem there. The problem is I need to route outbound traffic from different VLANS via different public IP's We are a eduction institution and use a web filtering service that monitors certain public IP's we have to direct web traffic to specific filtering policies. I've talked with Meraki tech support and according to them all I can do is place a switch between my ONT and the MX250. Then program the other WAN uplink with one of the public IP's. But this does not solve my problem as I still have three other VLAN's that route outbound using other public IP's. My Fortigate allowed me route any traffic outbound to whatever public IP I wanted it to have. Any ideas how to do this on the MX250?
As @RomanMD said this not possible. Hence why we use a different solution for our enterprise edge at the moment. The MXs are an excellent SD-WAN solution and public internet termination.
If my answer solves your problem please click Accept as Solution so others can benefit from it.
If you don't mind me asking @cmr what are you using for you enterprise edge solution? Like I said Meraki tech support told me to throw a switch between our firewall and our ONT. The only problem is I know very few switches that will NAT.
It's unbelievable that we still don't have this basic feature yet. We have a lot of externally hosted services that utilize IP allow-listing and it's getting extremely difficult to manage all of the content blocking on our guest networks. I currently have to use layer 3/7 Firewall and Traffic Shaping rules to block access from guest networks to the publicly hosted services that need to be unavailable to guest networks.
I agree @JohnT this is completely unacceptable. I am in the process of working directly with Meraki's Development Team to get this code available to me and then in the next firmware update. I have worked with FortiGate, SonicWall, FirePower, ASA, pfSense and many other competing products. All of them have the ability to do source NAT. The MX250 is an "Enterprise" class firewall and it's lacking this feature.......this should not be labeled Enterprise class.
@Cakes I would be interested to know if you can get access to this feature. We are considering leaving Meraki because it's becoming impossible to manage all the silly work arounds. It didn't seem to be a priority with Meraki so we got a little hopeless. This would be great news if they are actually going to solve this.