Preventing an IP or subnet using WAN2

Solved
Dunky
Head in the Cloud

Preventing an IP or subnet using WAN2

I have a Boostbox at a site that is used to generate a local cellular signal which the cell phones connect to and traffic is then tunnelled over a VPN from this boostbox to the cell provider.

However, should the source public IP change, the provider locks out that box as they think it has changed location.

So the question is how can I prevent a specific IP and/or subnet from using WAN2 (i.e. when WAN1 fails).

.

 

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

4 Replies 4
ww
Kind of a big deal
Kind of a big deal

Contact support. They can provide seperate L3 fw config for wan2

 

https://community.meraki.com/t5/Security-SD-WAN/MX-Feature-Request-Separate-Firewall-SD-WAN-Rules-fo...

 

Dunky
Head in the Cloud

Thanks, I'll open a ticket and see what they say.

Dunky
Head in the Cloud

Support say this cannot be done.

I have clicked on "Give your feedback" and sebmitted:

 

"I need the ability to block a specific IP or subnet from using WAN2. This is because we have Cell Boosters that form a VPN to the cell provider and they whitelist the public IP. If the public IP changes (which it does when MX fails over to WAN2), they blacklist the box. Same could be achieved by allowing us to specify the WAN Interface or ALL on each of the L3 firewall rules (so I can deny the devices outbound traffic on WAN2)"

Dunky
Head in the Cloud

Meraki did indeed come back and say they can make the Cellular Failover ruleset apply when failover to WAN2.

However, there is no indication on the page that this is in force, and given that we use the L3 rules to provided VLAN segregation then I declined the offer.

What is really needed is on the L3 ruleset to have a dropdown on each rule where you can specify which WAN interface it should apply to (1, 2 or All)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels