Proxying between WAN Interfaces

jsurles
Here to help

Proxying between WAN Interfaces

Hello - I am trying to use an MX67 to do route incoming traffic from the internet, to a specific host in another facility; essentially proxying this connection.

Essentially I need to connect to a "private" network from the internet, but they don't allow direct internet access. I have a physical location where both the internet uplink and private network uplink exist. What I'd like to do is place one single networking device with 2 WAN ports. Internet on WAN 1, PrivateNet on WAN 2.


Client: 1.1.1.1 <--> WAN1: 3.3.3.3 <--> WAN2: 2.2.2.2 <--> Server: 9.9.9.9:1234

 

Ideally, I'd like it so that TCP connections sourced from 1.1.1.1 with a destination for 3.3.3.3:1234, would be nat'ed and forwarded to 9.9.9.9:1234, and appropriate responses returned.


The problem seems to be that I can't find a way to NAT nor Forwrad to 9.9.9.9 because it's not on the local network.

6 REPLIES 6
jdsilva
Kind of a big deal

So you want traffic to ingress WAN1, and then egress WAN2, with a bit of NAT happening while doing so?

 

I'd be surprised if this would work TBH. I tried to configure this but the MX complains that the forward target isn't a local subnet (i.e. not on the LAN).

 

image.png

 

So I think your options here are either get a different box to do this, or rethink the whole setup (since this does sound kinda hokey, but I admittedly don't know the full story).

 

As a side note / shameless plug, you can do this on the LAN side of the MX using this technique:

 

http://blog.brokennetwork.ca/2019/08/silly-meraki-tricks-lan-hairpin-nat.html

 

Maybe you can adapt that to work for you here?

I'll give it a look... and yes, that is the same problem I was getting.. I can't NAT/port forward to anything that is not on the local LAN.. boo.

I switched "WAN2" back to being a regular LAN port to see if I could work something out.. but it was a no go.

The only way I can do this with the meraki that I can see is to VPN to it, instead of hitting this over then internet.. but I'm trying to avoid the VPN portion.. I may have to break down and get a WAF that does some proxying or something.. it would be easier just to use an openbsd or linux box.. but currently that's not an option.

jdsilva
Kind of a big deal

Ok, so I can make that error go away, but I still don't think this will work. 

 

You can trick the MX by adding a static route with an active condition that is never satisfied:

 

image.png

Make sure whatever Next Hop you use doesn't exist, and can never possibly exist, so this route is never used.

 

image.png

 

With this route now added you can do the odd looking port forward:

 

image.png

 

Finally, add a Internet flow preference for this IP to use WAn2:

 

image.png

 

I can't actually test this myself right now... And I honestly don't think it will work... But if there's a way to do this then I think this would be how you would configure it.

PhilipDAth
Kind of a big deal
Kind of a big deal

You will need a proxy server to do this.

 

You can do a simple TCP proxy using HAProxy (which is a free product).

If it is web based you could also consider using the old favourite, squid (also free).

If it is not web based a more complex alternative to HAProxy is a SOCKs server.

 

Another option - would it be possible to get the remote people to use Client VPN to connect in to the MX?  Then you could route their traffic back out the other link.

I had such high hopes.  I was able to get this configuration in, but nothing.

Watching the packets, I see them coming in on WAN1, but I never see them on WAN2.. so it doesn't like something. 😞

I'll keep playing with it and see what I can make happen.. I really don't want to have to find/eval a new proxy appliance just for this setup.. but I may have to.

jdsilva
Kind of a big deal


@jsurles wrote:

I had such high hopes.  I was able to get this configuration in, but nothing.


Haha well my expectations were pretty low. Sometimes you can trick the MX into doing creative things, but something here had me strongly suspecting that this wouldn't work. Too bad. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels