Hi
If you have the following scenario:
Company 1 HQ
Company 1 satellite office
Company 1 satellite office
Company 2 HQ
Company 2 satellite office
Company 2 satellite office
All companies are a part of a Group of companies so communicate with each other over the same SD WAN.
The satellite offices need to have an Internet connection which is fire-walled and filtered by an appliance (non meraki) at its respective HQ site. In other words, the internet for the satellite offices needs to be back-hauled to its respective HQ site Company 1 satellite office -> Company 1 HQ and Company 2 satellite office -> Company 2 HQ .
I have setup:
- Company 1 satellite office as SPOKE with default route to HUB Company 1 HQ
- A 0.0.0.0/0 route on Company 1 HQ MX pointing to the LAN core switch at Company 1 HQ
- The 0.0.0.0/0 route on the MX is not advertised into the SD WAN as i only want this to affect Company 1 satellite offices, not Company 2
Set up the same for Company 2 sites. What i've found is that this basically doesn't work, the internet bound traffic is routed into the HQ successfully, the traffic returns and hits the LAN side of the MX at which point the MX drops the traffic. I have had a ticket with Meraki over this (however this was raised while all sites were HUBS) but the result was the same, if the 0.0.0.0/0 is not advertised in the VPN, the return traffic is dropped by the MX. In my view I think this should work as the routing is good, however the inherent behaviour of the MX's is to drop the traffic.
The workaround currently is to have all internet bound traffic forwarded and filtered at 1 HQ, however for my business this is not desirable. I keep coming back to this to see how it could be achieved. I have even updated some sites to the Beta firmware which includes source based routing functionality however this is still not doing the job, since you can only select source networks that are local to the MX on which you are setting up the source based route!!
Any geniuses out there can tell me if this can be done? 😫