Multiple routing

tom_alacid
Here to help

Multiple routing

Hello, I need help because I can't find a solution to my problem. I have an equipment (which does not belong to me, so I cannot modify it) network that provides me an internet access and a local access to some equipment.

I use an MX67 to do SD-WAN and an MS120 to do distribution.

I connected my equipment on the WAN 1 of my MX67 and on a port of my MS120 (the MX67 and the MS120 are connected in trunk).

I would like to make sure that :

- to access the IP 192.168.1.3 I go out through my switch
- to access the IP 192.168.1.6 I go out through my switch
- to access any other IP I go out through my WAN access

Is it possible?

Thank you for your help

22 Replies 22
CptnCrnch
Kind of a big deal
Kind of a big deal

Just go to the "Adressings and VLANs" page and set up both static routes pointing to the switch's transfer network address.

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Addressing_and_VLANs#Static_routes

tom_alacid
Here to help

Thank you for your prompt response,

This is what I tried this morning, but it shows me this error: Static lan route subnets cannot be contained by (or be equal to) a VLAN subnet.

pb_routage_meraki.jpg

I think it's not much but I don't see the error (I must have gotten too mentally stuck on it ahah)

CptnCrnch
Kind of a big deal
Kind of a big deal

So what exactly are you trying to route? Sounds like it's something within a subnet that your MX is taking part.

 

Normally, one would use a transfer network for such tasks.

tom_alacid
Here to help

I wish to have access on my PC to both the local equipment of my LAN 10.193.222.128/26 (through port 3 of my switch) and to the internet through the WAN 1 port of my MX.

I know the IPs of the local equipment to reach. My PCs are in a VLAN that I created on my MX (the MX is DHCP server for this VLAN on the range 192.168.12.0/24)

 

pb_routage_meraki_2.jpg

CptnCrnch
Kind of a big deal
Kind of a big deal

Sorry, maybe I'm in need of another coffee, but I fear I still don't get it: 😕

 

Your workstation has an IP address withing the partner equipment (10.193.222.128/26) and this one should reach other machines within your two subnets (192.168.12.0/24 / 192.168.13.0/24)?

 

To add to that: What's the IP of your MX's WAN1?

tom_alacid
Here to help

It's not exactly that. It's a project I'm working on right now, so some things can be changed.

Let's say I connected the WAN 1 output of my MX as well as port 3 of my switch to a kind of black box. This black box (I don't have access to the configuration) contains a router, a switch and equipment accessible through the LAN.

If I plug my PC directly on the switch of this black box, I can access the internet, I receive an IP via DHCP and I can access the local equipment.

Here is the information of this network :

Network address: 10.193.222.128
Mask: /28
Gateway: 10.193.222.129


My project is to use an MX67 to do SD-WAN between my 4G and this black box.

So I created 3 VLANs on my MX

- 1: Management
- 709: LAN-4G
- 708: LAN-partner

My MX does DHCP for these 3 VLANs with the following IPs :

- 1 : 192.168.127.0/24
- 709 : 192.168.13.0/24
- 708 : 192.168.12.0/24

I wish that :

- users on LAN-4G have access to internet by WAN2 : OK by SD-WAN
- users on the LAN-4G have access to the local equipment of my black box through port 3 of my switch: NOK
- users on the LAN-partner have access to the internet by the black box by WAN1: OK by SD-WAN
- users on the LAN-partner have access to the local equipment of my black box through port 3 of my switch: NOK


The goal is that users following their VLANs go out either through the 4G or through the black box, but that in any case all users have access to the local equipment of the black box, i.e. :

- 10.193.222.150
- 10.192.1.3

I hope to be clear, it's true that it's probably a gas plant for not much. 😖

CptnCrnch
Kind of a big deal
Kind of a big deal

OK, now I'm getting it, thanks!

 

First and foremost: you don't need to connect your switch to that black box. This will be handled by your MX just fine. You just need to use the NAT feature, because the black box won't have any routing back to your subnets.

tom_alacid
Here to help

My MX is in routed mode, i.e. (in my opinion) it accepts NAT.

I'm going to unplug the cable to my switch and try NAT.

CptnCrnch
Kind of a big deal
Kind of a big deal

Should be working flawlessly. It's that easy:

  • MX will be the default gateway for your configured internal subnet so it knows where to find your endpoints
  • Your MX has a default rule, therefore connecting to the internet via black box will work just fine. They will be hidden behind your MX's WAN IP
  • In case your endpoints will access devices located within the WAN subnet, MX will also NAT these connections, so from that "external devices" perspective, the connection will originate by your MX
  • Routing within your inside networks will also be handled by your MX automatically
tom_alacid
Here to help

Here is my WAN configuration

Config WAN.jpg

And here are my NAT rules

NAT.jpg

 

I don't understand why it still doesn't work. The NAT mechanism translates my internal IP to my external IP.

This is strange

CptnCrnch
Kind of a big deal
Kind of a big deal

Have you already unplugged the cable from your switch to that black box?

tom_alacid
Here to help

Yes I have removed this cable.

I even reset my MX to zero but nothing can be done about it, I can't access the local equipment in my WAN.

I did 1:1 NAT with IP_LAN=IP_WAN
I even tried using another IP LAN but it doesn't work.

tom_alacid
Here to help

Some talk about new NAT features in version 15.x (I'm in 14.53), I asked on the dashboard to participate in the beta versions (I'm waiting for the firmwares to be pushed).

I'm using enterprise security licenses, can't it come from that?

ww
Kind of a big deal
Kind of a big deal

Mb i missed something. But Why do you nat .150 ip to the same ip .150

CptnCrnch
Kind of a big deal
Kind of a big deal

Good catch @ww!

tom_alacid
Here to help

I NAT .150 to .150 because I want to access this IP from my LAN while it is in the WAN. But it doesn't work and I don't know how to make it work

Bruce
Kind of a big deal

If you’re accessing something on the WAN from the LAN then you don’t need a static NAT - the MX takes care of that dynamically. You only need a static NAT if you have something in your LAN that you need to access from the WAN.

tom_alacid
Here to help

I deleted my NAT rules.
I put my PC in a VLAN on my MX.
My PC has an IP through the DHCP of my MX
I wish to access an IP located after my WAN.
I can ping the WAN address of my MX but that's all.
I don't have access to my black box paserelle or to other equipments.

cmr
Kind of a big deal
Kind of a big deal

@tom_alacid are you saying that you cannot ping anything on the internet from your host inside the MX, i.e. 8.8.8.8 or similar?

 

If so is the default gateway on your host the MX and does the routing table have 0.0.0.0/0 pointing to the MX?  On the MX have you created any firewall rules that could be blocking traffic leaving the LAN?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
tom_alacid
Here to help

I can access the internet from my customers, what I want is to access equipment that is in my WAN (without it being directly internet).

To rephrase my problem let's say that I have a router coming from my ISP. On this router I connect a PC (it has an IP address and it works).
Then I connect my MX to my ISP. My MX has internet.
Now I connect a new PC to my MX and I want to join my first PC.

schema_meraki.jpg

tom_alacid
Here to help

Here is my network topology.
My partner gives me access to a switch on which I have access to internet and local equipment.

I wish to set up a network allowing my collaborators to have two internet accesses (4G + partner) and to have access to the local equipments of the partner (web server).

Currently it works if I plug the partner switch on a WAN port + a LAN port of my MX.

If I do this my inter-vlan routing doesn't work.

That is to say that I have created a VLAN 5 dedicated to my partner. If I put a computer on this VLAN I have access to internet + web server (my gateway is not my MX but the partner switch).

I put a printer in the VLAN 1 and I can't print.


What I want is :

- create a VLAN 4G (4) on my partner MX (it will act as a DHCP server): OK
- create a partner VLAN (5) on my partner MX (the partner switch will act as a DHCP server): OK
- create an SD-WAN rule to select one WAN per VLAN: OK
- access the web server (VLAN 5) from VLAN 5: OK
- access the web server (VLAN 5) from VLAN 4: NOK
- access the printer (VLAN 4) from VLAN 5: NOK
- access the printer (VLAN 4) from VLAN 4: OK

 

topologie.jpg

tom_alacid
Here to help

Hello,

For solutioning my problem, I did make a loop WAN/LAN.

How to work :

- I put on two ports the same VLAN (level 3, create on my MX).
- Enter my WAN cable (to my router) on one of this port and exit with cable on this other port to port WAN MX

Don't spanning-tree or BPDU error because this loop is WAN-LAN's loop

This solution of my work make good job and work since one month without problem

Thank you for your help !

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels