I have a problem with a setup where I use two WAN ports on an MX64 and I need communication between the WAN ports.
Design: My first attempt was to set up NON Meraki VPNs via the MX64 and to connect the MX to an MX250 via a LAN port. Which has the advantage that the remote networks are available in the AutoVPN. There is also a transfer network between the MX64 and the MX250. The construct also works as expected.
The only problem is that no firewall rules apply because both MX see each other as clients.
I then had a brief contact with Meraki Support. There I was told that I would have to rethink the design if I wanted to do firewalling between the two MXs.
For the implementation, I should realize the connection between MX64 and MX250 via WAN2.
Experimental setup: WAN1 of the MX64 is connected to the Internet and the MX NON-MERAKI VPNs set up via this port. WAN2 is attached to an MX250. NO-NAT is activated on WAN2. IP configuration: MX64 WAN2 10.100.110.109/30 MX250 LAN5 10.100.110.110/30
On the MX250, the default routes for the remote VPN networks are set to the gateway 10.100.110.109. No extra routes are set on the MX64.
If I now do a trace route from the MX250 to one of the VPN networks, the tracking ends at 10.100.110.109 (MX64 WAN2). Obviously, there is no routing between the WAN interfaces here.
Does anyone have any idea how to get the setup suggested by Meraki Support to work?