Multiple external IP addresses

AlexanderDrago
Getting noticed

Multiple external IP addresses

Hello, everyone!

I have one question. If Meraki can configured multiple external IP addresses ? Example i have guest wifi and want that network use another external ip different of main.

1:NAT and 1:1 NAT dont work(i found some advices). Because it dont understand all subnet, only 1 lan ip.

21 REPLIES 21
Adam
Kind of a big deal

I've also tried to accomplish this and I'm fairly certain it isn't possible.  The NAT will only be for external traffic coming in.  Everything going out will go through the MX WAN IP.  Depending on your use case, the only real option would be to put an L2 switch outside of your MX WAN interface.  Have one cable going to the MX WAN interface and another going to your switch VLAN or device and then you could give those devices the WAN IP directly although they will not be going through the MX.  I guess conceptually if it is for a guest network you could also have a separate, cheap, router that is connected to the WAN that you route traffic to/through.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
jdsilva
Kind of a big deal

What @Adam said. Inbound only 😞

 

But... If you were to use the second WAN port and assign a second external address to that, then you could use Internet flow preferences to steer some traffic out the second IP (and in) giving you two public IP's. 

 

It's not how it's meant to work, and not clean by any stretch, but if you absolutely needed to second IP for say, have one specific server use a specific IP outbound, it could work. 

 

Disclaimer, I haven't tried this directly, but I don't see why it wouldn't work.

Neil_S
Conversationalist

Okay.. this can be done by... 

 

Create a VLAN on your MX..

 

Subnet: 212.1.1.0/29

MX IP: 212.1.1.2

VALN ID: you choose. 

 

 

Set your client PC with the blow.. 

 

IP 212.1.1.3

Mask: 255.255.255.248

Gateway: 212.1.1.2

 

Set 1:1 NAT 

 

 

Public IP:212.1.1.3

LAN IP: 212.1.1.3

 

This will then show your second IP when access the internet, not the IP of the MX. 

 

Hello Neil_S,

I have tested your suggestion and it worked.

However, I have found one Downside, that is that it is no longer possible to reach our public addresses from inside the LAN, after setting up the VLAN.

Are there any other side effects you experienced?
Are you using this workaround in a productive environment?

Neil_S
Conversationalist

Hi 

 

I haven't seen any other downsides and yes I have this is a production environment for a customer. 

 

 

 

Sorry to wake this old tread 🙂

Im interested in what you did here (because to me its not quite clear).

But does your solution give you the option to route a guest vlan out another public IP then the one the MX has for itself ?

Hello!

Yep, in guest vlan we have another external ip

You can try test on your guest vlan

But how did you do this ?

Did you use Flow preferences ? (because here I can only select WAN1 or WAN2 in the prefered uplink).

Or did you do the NAT thing as described somewhere above here ?

 

Im curious. 

 

Thanks

Thomas

John2
Here to help

Meraki doesn’t currently support this. One way you might also be able to get around this is by placing a router on your network, doing a 1:1 NAT on the MX to this router. Then NATing the guest WiFi traffic through this router. It does add another device and double NAT but should achieve what your trying to do.

Ben
A model citizen

We are currently struggling with this as well since the provider NAT public traffic to a private address. 

Response from Meraki 

its a heavily requested feature its not really got a alternative im afraid
 
I think it's ridiculous that such a future proof firewall does not support sourcenat... 
 
 
Darrell
Just browsing

So just to clarify, if I have a block of IP addresses associated with my Internet connection, the Meraki is incapable of using any but the IP address of its external interface?

If that's the case, what is Meraki's suggestion/recommendation for doing this functionality that Cisco ASA's have had since the Pix was introduced?

jdsilva
Kind of a big deal

@Darrell Not exactly. It can use multiple IP's for inbound traffic. So you can do DNAT on inbound traffic. What you cannot do is SNAT on outbound traffic. 

One of solution you can use this in Security appliance - Traffic Shaping and chose for you network wan portScreenshot from 2018-08-01 14-48-35.png

Ben
A model citizen

let's get this topic back from the dead. 

since IkeV2 is in beta (other topic) perhaps we should get the attention of Meraki to have a look at sourcenat. 

groncal56
Conversationalist

Has anyone seen and update on the multiple External IP via MX?

A year later and still nothing.  This is killing me.  Has anyone heard of any updates on this?

Schar
Conversationalist

a month later, and still nothing....

Net/DevOps in traning
JohnT
Getting noticed

I was able to do this in 2001 with a Cisco Pix firewall.  I don't understand why this is so hard for Meraki.  It's one of the most basic features of a firewall.  

Yeah this is a deal breaker for me, I see this being requested back in 2015, if not earlier. I'll let our VAR know we need something else.

JohnT
Getting noticed

This is slowly becoming a deal breaker for us as well.  With so many services moving from on-prem to the cloud we need the ability to send guest traffic out a separate IP address.  My current work around is to individually block access to all of the cloud services on every guest network.  It's like whack a mole, and I'm sure I'm missing some.  It's becoming a serious liability for us and I'm having difficulty explaining to the board why we continue to use Meraki.

Is there anyone from Meraki reading this board who can chime in on this feature?

KiloBravo
Here to help

I guess nothing has changed in 4 months? since @JohnT's message?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels