I am looking for a solution for public access to internal host sitting behind a carrier grade NAT (CGNAT).
I have two Meraki network locations. At the head-end I am port-forwarding a number of services fine. At the remote site i get a private IP handoff, and access the internet from a distant public IP address the carrier manages.
between the two location I have a hub/spoke AutoVPN.
I am looking for a way to leverage the port-forwarding feature I do have at the head-end, to forward SIP traffic to a call manager at the remote-office.
any cleverness available to get this done?
currently when attempting the port forward at the head-end MX to the remote site IP, the GUI fails stating a requirement that the destination IP be configured in a local subnet.
I am not too familiar with the SDWAN feature, however was initially dismissive as it seemed more for the purposes of Quality of a service, while I was just aiming at the service alone thus far.
I do note the following in the reference provided:
PbR with Performance Failover for Web traffic
Web traffic is another common type of traffic that a network administrator may wish to optimize or control. This branch will leverage a PbR rule to send web traffic over VPN tunnels formed on the WAN 1 interface, but only if that matches a custom-configured performance class.
So far, I was concerned with any connectivity over the service port.
As to SDWAN being an option for me, I do not see an obvious barrier in my case, having MX/Z3 at the respective sites.
However it is not clear to me exactly how SDWAN fits into the solution. Can you ellaborate?
First question, at the remote site, do you have an MX as well? If you don't have a choice, it would be to set up a site-to-site VPN between the two sites. The issue here is that you won't be able to do port forwarding via VPN/SD-WAN.
The issue is in creating the NAT in the first place. Dashboard throws the error when trying "destination IP must be in a locally configured subnet".
This same function would also be beneficial for other services at the branch, so worth some time to figure out.
Particularly with the voice service, the call manager is bundled with other features required to be onsite. Particularly a phone may only register when on the same broadcast domain as the call manager. FYI, The voice solution is Unifi and the product is Dream Machine.
Ok - that must be an extra check they have added. I have done something similar to this, but a LONG time ago. I assume you have AutoVPN configured already, so the remote subnet is in the local routing change.
You could try opening a case with support, and seeing if this is a check they can disable for you (stop NAT checking to see if the destination is a local host).