So that LAN IP addres range is publically routable (as in RIPE address right)? Do you have an issue with building a private VLAN range (say 192.168.x.x) and mapping?
Otherwise you'd need to do something like this. Build a private VLAN in that /26 range as you stated.
For each IP address you want to use in that range build a 1:1 NAT rule setting the public and private IP to be the same. NAT still happens here but if you have your client with that IP address then "whatsmyip" will show the correct public address, and inbound connections will be allowed to that device.
NoNat is only in Beta for MX15 right this moment so it may require workarounds like this for you to make private VLAN ranges publically routable on the MX
You'd have to do this rule entry for each IP address within that 26 range you wish to utilise. The 1:1 NAT rules are explicit IPs only.
Yes, the /26 is a public range, so I need a routable appliance without NAT.
Talking with Meraki support they mention Beta MX15 as well, so as soon we have a chance we will probably test it on our environment.
The idea is to give some internal machines real public IPs. We are teaching college hires what they have to do to secure an appliance when it is facing the internet and properly route when you they are connected via two arms, and give them the public IPs is a requirement for the program.
Back to your notes.
Can I do 1:1 NAT like you did 100.100.33.194:100.100.33.194 on MX14 or should I be on MX15 Beta?
Its a bit of a cheaty workaround to be honest, but you can build as I screenied earlier, its kinda like a transparent NAT. It still translates.. but to itself but it should be reachable remotely and through inter-VLAN routing.
So you would build the /26 as a private VLAN as above, and then exclude that VLAN from NAT (essentially No-NAT). In this case when your PE forwards the /26 traffic to your Meraki, rather than hitting the NAT boundary and having to be translated, it should route straight through.
As seen in the screenshot, no-NAT can be set on the uplink or the private VLAN, essentially relying on conventional routing. From the traffic though, AMP/IDS and all the Stateful FW stuff still apply so there "may" be issues with unsolicited inbound traffic being blocked without some additional config surrounding port forwarding. Not sure if that 1:1 NAT rule that allow remote connections on port numbers constitutes FW rules allowing traffic, need to poke wireshark a bit more and see how it interacts.
I know MX15 has this to play with right now, but there is quite a lot of features being tested in MX15, it could be that some of the big changes (like no-NAT) are dropped for general release of that firmware (or pushed to a later stage.)
Hope this helps,
Just FYI that /26... you could be there some time building 1:1 NAT rules for each IP, have a poke through the API tools and see if there is some way to automate its delivery.... have fun!