We have a /28 public IP range, and a backup /32 connection on a separate ISP. The first IP in the /28 range is assigned to our MX100. Is it possible to have SMTP traffic (TCP25) from a handful of internal IP addresses go out via a specific different IP address in the /28 range? I found that you can use a Flow Rule to force port 25 from those IPs to go out via the correct ISP, but it doesn't seem to allow you to force it to a specific IP address on that network.
In the SonicWALL world that we're moving from, we just made a LAN to WAN NAT rule that accomplished this for a specific port, or a route for all traffic from a specific IP, but I can't seem to figure out the proper way to do it in the Meraki world.
You can create a 1:Many NAT rule on the Firewall page (very bottom). This should accomplish what you're looking for.
This works for routing outgoing internal traffic? Presumably I just do the exact opposite of a normal External to Internal 1:Many NAT rule?
So assuming my internal network is 192.168.0.1/24, and external is 18.104.22.168/24, and I want all SMTP traffic from 192.168.0.100 to go out 22.214.171.124, I'd create a rule as follows:
Public IP: 192.168.0.100
Public port: 25
LAN IP: 126.96.36.199
Local Port: 25
Allowed remote IPs: any
Is that what you're saying?
No, you need to supply a public IP that the MX has configured on its WAN interface subnet. Then in the LAN IP, you can put your internal network that you want to use the configured public IP for SMTP traffic.
Won't that just route INCOMING traffic on that IP address to the NAT'd internal address? I want to make traffic going from the internal address go out a specific Public IP address. For the record, I already have that rule.
So in my example above, the MX100's WAN1 port is assigned the IP address 188.8.131.52. Left alone, all SMTP traffic from 192.168.0.100 will go out via that IP address. But I want all outgoing SMTP traffic from 192.168.0.100 to go out via 184.108.40.206 instead of 220.127.116.11
NAT rules are bidirectional - otherwise there wouldn't be a valid return path. I haven't tried this specific setup with 1:Many NAT, but I don't see why it wouldn't work.
Doesn't work. Just tested using port 80/443 and did a public IP lookup. Lookup reported the WAN IP address assigned to the WAN1 interface, not the NAT'd IP address unfortunately.