MX84 with a transit public /30 and a public /26

Jucabala
Just browsing

MX84 with a transit public /30 and a public /26

I am new to Meraki devices and I would like to check how I can do this:

https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html

 

In my case I will have a /30 and a /26, let's say:

WAN  200.200.183.132/30

LAN   100.100.33.192/26

 

Any guidance is welcome.

 

Best Regards

6 REPLIES 6
NolanHerring
Kind of a big deal

PhilipDAth
Kind of a big deal
Kind of a big deal

The /30 just runs between you are your ISP, nothing special there.

 

Typically with Meraki you would NAT between your /26 and your inside network.

jdsilva
Kind of a big deal


@PhilipDAth wrote:

The /30 just runs between you are your ISP, nothing special there.

 

Typically with Meraki you would NAT between your /26 and your inside network.


You can also use the /26 IP's in the 1:1 NAT and the 1:Many NAT sections instead of directly assigning them on the LAN. 

WillN
Getting noticed

Hi,

 

So that LAN IP addres range is publically routable (as in RIPE address right)?
Do you have an issue with building a private VLAN range (say 192.168.x.x) and mapping?

Otherwise you'd need to do something like this.
Build a private VLAN in that /26 range as you stated.

For each IP address you want to use in that range build a 1:1 NAT rule setting the public and private IP to be the same. NAT still happens here but if you have your client with that IP address then "whatsmyip" will show the correct public address, and inbound connections will be allowed to that device.

NoNat is only in Beta for MX15 right this moment so it may require workarounds like this for you to make private VLAN ranges publically routable on the MX

You'd have to do this rule entry for each IP address within that 26 range you wish to utilise. The 1:1 NAT rules are explicit IPs only.

1to1.JPG

This is very helpful.

Yes, the /26 is a public range, so I need a routable appliance without NAT.

Talking with Meraki support they mention Beta MX15 as well, so as soon we have a chance we will probably test it on our environment.

The idea is to give some internal machines real public IPs. We are teaching college hires what they have to do to secure an appliance when it is facing the internet and properly route when you they are connected via two arms, and give them the public IPs is a requirement for the program.

 

Back to your notes.

Can I do 1:1 NAT like you did 100.100.33.194:100.100.33.194 on MX14 or should I be on MX15 Beta?

 

Really appreciate the community insight on this.

 

Best Regards

WillN
Getting noticed

Will answer the NAT thing first

Its a bit of a cheaty workaround to be honest, but you can build as I screenied earlier, its kinda like a transparent NAT. It still translates.. but to itself but it should be reachable remotely and through inter-VLAN routing.

About MX15

So you would build the /26 as a private VLAN as above, and then exclude that VLAN from NAT (essentially No-NAT). In this case when your PE forwards the /26 traffic to your Meraki, rather than hitting the NAT boundary and having to be translated, it should route straight through.

As seen in the screenshot, no-NAT can be set on the uplink or the private VLAN, essentially relying on conventional routing. From the traffic though, AMP/IDS and all the Stateful FW stuff still apply so there "may" be issues with unsolicited inbound traffic being blocked without some additional config surrounding port forwarding. Not sure if that 1:1 NAT rule that allow remote connections on port numbers constitutes FW rules allowing traffic, need to poke wireshark a bit more and see how it interacts.

I know MX15 has this to play with right now, but there is quite a lot of features being tested in MX15, it could be that some of the big changes (like no-NAT) are dropped for general release of that firmware (or pushed to a later stage.)

Hope this helps,

Just FYI that /26... you could be there some time building 1:1 NAT rules for each IP, have a poke through the API tools and see if there is some way to automate its delivery.... have fun!

noNAT.JPG

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels