Routing between WAN Ports (MX64)

Frank_Liebelt
Comes here often

Routing between WAN Ports (MX64)

Hi, everyone,

I have a problem with a setup where I use two WAN ports on an MX64 and I need communication between the WAN ports.

 

Design:
My first attempt was to set up NON Meraki VPNs via the MX64 and to connect the MX to an MX250 via a LAN port. Which has the advantage that the remote networks are available in the AutoVPN. There is also a transfer network between the MX64 and the MX250. The construct also works as expected.


The only problem is that no firewall rules apply because both MX see each other as clients.

I then had a brief contact with Meraki Support. There I was told that I would have to rethink the design if I wanted to do firewalling between the two MXs.

 

For the implementation, I should realize the connection between MX64 and MX250 via WAN2.

 

Experimental setup:
WAN1 of the MX64 is connected to the Internet and the MX NON-MERAKI VPNs set up via this port.
WAN2 is attached to an MX250.
NO-NAT is activated on WAN2.
IP configuration:
MX64 WAN2 10.100.110.109/30
MX250 LAN5 10.100.110.110/30

 

On the MX250, the default routes for the remote VPN networks are set to the gateway 10.100.110.109. No extra routes are set on the MX64.

 

If I now do a trace route from the MX250 to one of the VPN networks, the tracking ends at 10.100.110.109 (MX64 WAN2).
Obviously, there is no routing between the WAN interfaces here.

 

Does anyone have any idea how to get the setup suggested by Meraki Support to work?

 

MX64-250-VPN.jpg

 

2 REPLIES 2
ww
Kind of a big deal
Kind of a big deal

What fw rules are not working when connecting  on the lan ports? 

The normal L3 firewall works between vlans so this should work. And another option would be a group policy on the transit vlan.

Frank_Liebelt
Comes here often

Hi

with the current setup:
MX64 LAN on MX250 LAN, an L3 firewall does not work on either the MX64 or the MX250

 

The current setup looks like this:
Transfer network 10.100.110.104/30 VLAN 4000
MX64 IP 10.100.110.105
MX250 IP 10.100.110.106

 

MX250 Static Route: to remote LAN 192.168.0.0/24 gw 10.100.110.105
MX64 Static Route: to local LAN 172.18.5.0/24 gw 10.100.110.106

 

This setup works. But as described, only without a firewall.

 

Now let's assume that a computer with the IP 192.168.0.10 should access a server 172.18.5.99.
And nothing else in the 172 LAN.

 

I have created the following L3 rules.

 

InboundRule that looks like this.
Deny TestRule1 Any 192.168.0.10/32 Any 172.15.5.99/32 Any

And an outbound rule that looks like this.
Deny TestRule1 Any 172.15.5.99/32 Any 192.168.0.10/32 Any

 

The same on the MX250.

 

I can still reach the server without any problems. Or ping the client from the server.

 

Even if I put a deny for both subnets, it still works.

 

And here the Meraki support told me that it is because the two MX see themselves as clients and I cannot regulate the traffic via the firewall.

That would probably only work if the local LAN was connected to the MX64. But this is not the case, as the MX64 only serves as a non-Meraki VPN gateway.

 

Hence the idea from support to do this via a no-NAT on WAN2 of the MX64.

This brings me to my problem that I can only reach the WAN2 interface from the local network and the traffic does not go through the non-Meraki VPN.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels