We are using the MX for FW, Content Filtering, Threat protection, etc. The third party appliance is for compression and TCP optimization. I suppose I can make the 3rd party appliance the default route for the branch site devices, or possibly use it as inline bridge mode so that all outbound traffic has to pass through the device before hitting the MX, and then the reverse inbound.

I wish Meraki would just bring back the compression/optimization features then no need for additional devices.

Thanks

Sarvjit

What speed links are you using with the compression/optimization system?

Remote site has no broadband access available. Using LTE 4G for primary.

But I suppose its not going to let me create a static route for 0.0.0.0/0. So will have to add each IP accessed by the users individually? That wouldnt be possible, of course.

Give it a try, I believe it does allow a static route of 0.0.0.0/0, but it does give you a warning about overlapping routes - I’m pretty sure I set this up once. All the management traffic to the Meraki cloud continues to go via the WAN port, so you won’t lose connectivity to the device.

I will give it a shot. Thanks Bruce.

Just tried this and you can definitely enter a default static you just get the warning and have to acknowledge it. That was on MX16 firmware, but as I said I’ve done this before and it was on MX15 firmware, not sure how MX14 behaves if you’re still there. 

Just remember any more specific route on the MX will override the default, and there is no way to route things to the WAN ports once you’ve added the static, other than routes learnt over a VPN.

Perfect. I will give it a try. Thanks

@Sarv, as another option you may be able to use the Source Based Default Route if there are only a small number of VLANs (or static routes) on your MX. This works in the same way as a default (i.e. its only used if there isn't a more specific route) but takes precedence over the standard default out through the WAN port. Using that you could send certain VLANs/subnets to your optimization device, and then from the optimization device (assuming it changes the source IP address) it could then use the standard default route out through the MX. Just needs some clear thinking through of your traffic flows, both the outbound and inbound, and considering the priority of the routes when it hits the MX.

Thinking this through, all of the default route options are really only going to work if the optimization devices build a tunnel between themselves, and its best if the subnets that the optimization devices are in is the only subnet that is advertised over the AutoVPN (or if you're not using AutoVPN in the case of Source Based Default Routes). If you're advertising other remote subnets over the AutoVPN then the traffic will always be routed directly into the AutoVPN the minute it hits the MX, rather than to the optimization device. You could always override this with static routes (which take priority over AutoVPN routes), but this may get overly complex to administer very quickly (depending on the size of your network).

Wow Bruce you nailed everything without knowing our infrastructure, color me impressed. So my plan was exactly what you detailed out.

All Devices ===> MX LAN Interface (VLAN 100), the appliance would also have one of its interfaces on that same VLAN connected to the MX.

Branch Appliance over the internet ipsec tunnel to appliance at HQ ===> out to internet or internal VLAN's whichever the case may be. This ensures all traffic to/from that branch site is optimized.

Potentially I could connect a 2nd interface from appliance and run it back through the MX on another VLAN, lets say VLAN 200, the appliance would NAT the traffic using it VLAN 200 interface back through the MX but that seems counter intuitive to me.

P.S only a single VLAN currently at the branch location so its not too complicated and AutoVPN will be turned off for the site since all traffic will be routed through this appliance.

Thanks

Sarvjit