Meraki

jOMeraki2

Hello everyone,

I’m working with several clients who require the ability to route only HTTP and HTTPS traffic (ports 80/443) through a Non-Meraki Site-to-Site VPN tunnel, while keeping all other internet traffic going out normally through the MX WAN.

From what I know, the MX supports subnet-based routing only for Non-Meraki VPN peers, not port-based or policy-based routing.

Before confirming this limitation to my clients, I would like to check with the community:

Is there any method or workaround to route only specific ports (80/443) through a Non-Meraki VPN?

Any alternative design or setup that can achieve this?

Has anyone successfully implemented something similar?

If there is no supported solution, we will unfortunately need to remove the MX from several customer sites and use another firewall vendor that supports this requirement.

Any insights or recommendations would be greatly appreciated.

Thank you!

rhbirkelund

I'm curious, what's the requirement for only sending 80/443 over VPN, based on?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

alemabrahao

Unfortunately, that's not possible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jOMeraki2

Cisco ai awnser me

Need to route only HTTP/HTTPS over Non-Meraki VPN Tunnel

AI Assistant
08:45 AM
To route only HTTP/HTTPS traffic (TCP ports 80 and 443) over a Non-Meraki VPN tunnel on a Meraki MX, use the VPN Full-Tunnel Exclusion feature. This allows you to define application, IP, or URL-based rules for local internet breakout or VPN routing.
Here’s how you can achieve this:
Go to Security & SD-WAN > Configure > Site-to-site VPN in the Meraki Dashboard.
Under Non-Meraki VPN peers, add your VPN peer and set the "Private subnets" to 0.0.0.0/0 if you want to send all internet-bound traffic through the tunnel.
To route only HTTP/HTTPS, use the VPN Full-Tunnel Exclusion feature:
Navigate to Security & SD-WAN > Configure > SD-WAN & traffic shaping.
Create a VPN exclusion rule for all traffic except HTTP/HTTPS, so only HTTP/HTTPS is routed over the VPN tunnel, and other traffic uses the local internet breakout.
This approach allows you to selectively route only HTTP/HTTPS traffic over your Non-Meraki VPN tunnel while keeping other traffic on the local WAN.
For detailed steps and best practices, refer to the following documentation:
VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout)
Site-to-Site VPN Settings
If you need step-by-step configuration guidance or have a specific scenario, let me know.
Positive feedback
Negative feedback
You
yes pls

AI Assistant
08:51 AM
Here is a step-by-step guide to route only HTTP/HTTPS traffic over a Non-Meraki VPN tunnel using VPN Full-Tunnel Exclusion on Meraki MX:
Step 1: Configure the Non-Meraki VPN Peer
Go to Security & SD-WAN > Configure > Site-to-site VPN in the Meraki Dashboard.
Under Non-Meraki VPN peers, click Add a peer.
Enter the peer details (Name, Public IP, etc.).
For Private subnets, enter 0.0.0.0/0 to allow all internet-bound traffic to be routed through the tunnel.
Step 2: Enable VPN Participation for Relevant Subnets
In the same Site-to-site VPN page, select the subnets that should participate in the VPN.
Step 3: Configure VPN Full-Tunnel Exclusion
Go to Security & SD-WAN > Configure > SD-WAN & traffic shaping.
Scroll to the VPN traffic section.
Add a VPN exclusion rule:
Set the rule to match all traffic except HTTP/HTTPS (TCP ports 80 and 443).
This ensures only HTTP/HTTPS traffic is routed over the Non-Meraki VPN tunnel, while other traffic uses the local internet breakout.
Step 4: Save and Apply Changes
Review your configuration and click Save.
Step 5: Verify Tunnel Status
Go to Security & SD-WAN > Monitor > VPN Status to confirm the tunnel is active.
Reference Documentation:
VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout)
Site-to-Site VPN Settings
If you need help with the exact rule syntax or screenshots, let me know.
Positive feedback

alemabrahao

Application-based VPN exclusion rules(Smart Breakout) are only supported on MX devices with a Secure SD-WAN Plus

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

GIdenJoe

Hmm, is this some kind of SASE solution where you only want a remote web security appliance to decrypt traffic there?

Since Meraki does support IPsec VPN's with SASE providers, so creating full tunnels to there and have DIA exceptions should have to be possible but I'm not sure how far they are with that.

Anyone has experience with Secure access or zscaler based solutions?

RWelch

Zscaler Internet Access (ZIA) Integration

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

jOMeraki2

"But in my case, I want the http and https traffic to go through a dedicated tunnel. How would this integration help me?"

alemabrahao

The guide that the @RWelch sent you doesn't mean you have to integrate with Zscaler, but rather how you should configure the tunnel to achieve what you need.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.