Secondary WAN IP Question using private IP

Here to help

Secondary WAN IP Question using private IP


We have a MX100 on one end and a MX 84 at another location.  At the present time these 2 sites are NOT configured for a site to site VPN.  However, we DO want to create a site to site connection but NOT over the primary WAN connection (not yet).  Here is the situation.  The (2) sites have a unique configuration where they have a site to site WIRELESS bridge solution from a local wireless internet service provider.  Basically, they can connect the devices on both ends to their switches and traffic will pass between the (2) sites.  It is really like have a super long cable connecting the (2) sites.  The devices that terminates this wireless setup are simple Layer 2 devices.  However, we want to plug this layer 2 device into port (2) on each MX appliance and configure a VPN (maybe? see below).  We want to route traffic over that pipe as if it is a VPN using the traditional method where you have publicly routed static IP addresses assigned.  However, since these devices are layer 2 there are no IP addresses assigned.  The wireless internet provider says we simply need to assign a private /30 block to the layer 3 device (Meraki) and we can accomplish this goal.  However, I have not tried this yet.  


Will the Meraki appliance allow me to setup a "Direct" static connection in the "Internet" zone using "Private" IP addresses like 10.0.0.x/24?  This is basically similar to what you might setup for an intranet router configuration.  

Can the Meraki be configured in this type of configuration with the Zone being "Internet"?


I could scrap the entire VPN idea all together and just configure port (2) with a private /30 address and setup routing rules to handle the traffic.  However, if I eventually do decide to setup the existing connections on WAN1 as a point to point VPN can I accomplish WAN failover in the event that one pipe goes down?  So basically if this wireless bridge thing goes down can the Meraki failover to a point to point VPN configured on the WAN1 port?


Thanks for any info


I'm going to assume you are using your MX in NAT mode (the default).


You have two WAN ports.  You currently have one connected to the Internet.  You should use the other WAN port for this stub network.

View solution in original post

Kind of a big deal
Kind of a big deal

I would recommend not using a VPN over your WiFi circuit.  You can assign a /30 stub of private IP addressing as mentioned.


I recommend you following this guide for configuring the MX's to use a private MPLS network with VPN failover. In your case, the WiFi link would be the "MPLS" network (the only important bit is that this is a private network),

Hello. PhilipDAth.. Thanks very much for the info. Very much appreciated. Excuse my ignorance here but I assume the stub network would be created on port 2 on the appliance? If the port is configured as LAN I can not configure any separate subnets on it. If I change the Role to Internet and set it to static it will not allow me to key in a privately routed address. It says it is invalid ip4.
So I guess I am concerned as to how to set this up as a secondary WAN connection with failover. It appears I am missing something basic.
Thanks again

I'm going to assume you are using your MX in NAT mode (the default).


You have two WAN ports.  You currently have one connected to the Internet.  You should use the other WAN port for this stub network.

Yes. Thanks. This is correct in that it is in nat mode. From what I read port 2 would be the second WAN port.. Correct? When I go to configure that port (via logging in locally to the appliance) and try to use a "private" /30 network configuration ( it says the ip configuration is invalid. Is this because the role is defined as Internet and I am trying to use privately routed addresses? If I set it to LAN it does not give me the ability to configure any ip addresses.

Thanks again

Sorry please ignore my last message. I did not fill in the DNS servers when setting up the private address. Thanks again for your help.

Hello...Thanks much for your assistance.  This MPLS stub network worked great.  And we will be getting the VPN part up soon.  But traffic routes perfectly using the link you sent.


However, we discovered an issue.  The corporate site (hub in the hub and spoke VPN) has a barracuda web appliance.  We would like to route all internet traffic (either via the MPLS or the backup VPN) out that cuda interface.  Is there anything we can setup on the Meraki system to force Internet traffic out that interface?  I looked at static routes but that does not seem to help.


I know in other non meraki VPN's we have setup there is an option to route Internet traffic out a gateway at a remote location.  I just can't find it here.


Thanks again for any info.


You should need to make the remote sites default gateway point over the WiFi link to the site with the Baracuda, and then have the MX at that site point its default route at the Baracdua.


You could also simply configure proxy settings on the machines to point directly to the Baracuda.  WPAD is a system of doing this automatically.


But ...


Why do you need a Baracuda?  The MX already has excellent content filtering and reporting ...

Thanks much.  I would love to use the Meraki content filtering.  My predecessor did not purchase the license for that.  But it is on the table to budget for 2018.


As for changing the remote sites default gateway to the MX at the corporate site (where the cuda is located) won't that bypass the static routes defined on the remote sites MX?  Sorry if that seems like a stupid question.   


Thanks again

Yep, I think changing the default route is considerably messier.


I would probably use WPAD first (which is also painful) until you can get the new MX licences.

Ouch...OK..Thanks for the info.  I checked the WPAD info and it might be an option for now.



@dhayes2929 - Hi, I know it was a while ago but I've just come across this post and thought I'd mention you can contact Meraki support to have your enterprise licence term essentially cut in half to upgrade it to Advanced Security if you want to upgrade without purchasing.


It just means if you purchased a 3 year enterprise licence and you're 1 year into your licence (ie, there's 2 years remaining) you can request the licence is upgraded to Advanced Security and your licence term remaining will become 1 year (ie. half of the 2 years remaining).

Hello PhillipDAth.. The connection via a stub network on one of the Lan interfaces works great. Just static routes and good to go. However there is now another concern. We are checking into this but we are concerned that the data traversing wireless internet provider MPLS network is not encrypted since it is handed off via a simple layer 2 device. And we can not do an encrypted VPN tunnel via the MX since it requires a WAN connection. We thought about using the WAN 2 connection on each side but I do not think that will work with nat, etc. Do you have any thoughts on how to get the MX to encrypt data over that pipe short of dropping in another router in the mix?

Thanks again

You could check with your WISP, but they are probably already using encrypted protocols.


Yes you could connect it via the WAN ports, and build a "non-Meraki" VPN between the two MX devices.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.