Small Branch MX65w to HQ MX100 - Routing some traffic over the VPN ?

Comes here often

Small Branch MX65w to HQ MX100 - Routing some traffic over the VPN ?

Hello all! First post here but I've been reading as many of the posts as I can. I love the idea of the community! We are just starting to venture into the Meraki world so I believe this will be a great source for information. I was hoping someone might be able to help me figure out if I'm able to achieve a certain scenario with the equipment I have. In HQ I have an MX100 and installed an MX65W in a satellite office. I've created a VPN between sites and all has gone well, now i'm stuck! Usually I would be connecting larger branches together and would install a Domain Controller on the remote site so the clients could be forwarded to the windows file shares (AD) back at HQ, how is this achieved in a small office where a DC would be over kill? I realise I can direct ALL traffic over the VPN but this does not offer local internet breakout and is over kill for just getting the clients to Windows Shares in HQ. I'm looking for an easy solution with no editing on client machines (host files) and no accessing of shares via IP address. Just to add the satellite office has an ISP supplied router that distributes IP addresses, the M65W sits behind this router and offers out an additional WiFi network (VPN concentrator). Any help to achieve this appreciated.
Community Manager

Hi @Nifty - 


Welcome and thanks for posting! Glad to hear you are enjoying the community so far. I'm afraid I don't have a technical answer for you, I just wanted to say hello and welcome you to the community. If you have any questions or feedback, please don't hesitate to reach out to me via PM.



- Caroline

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
Kind of a big deal

Typically you configure the DHCP DNS servers for the remote branch to point to your AD controllers at DC/HQ.  Then clients can use AD as normal, logging in, accessing shares, etc.

Comes here often

Thank you for the reply.


We have a remote branch with 3 staff they have no internal DNS servers. Think Home Office with ISP supplied Router with external DNS provided. As I mentioned normally I would configure internal DNS (a DC) on site however this is a tiny operation and I'm seeking a solution within the MX appliances over the established VPN.


I'm surprised that the MX devices does not offer a simple rule sets to overcome this like: Windows File Shares = Send traffic over VPN. Http requests send out via local internet breakout. 


There must be huge requirements like this where SOHO's need to connect to HQ for SMB File sharing but not the internet.

Kind of a big deal
Kind of a big deal

oke and what if you would run a intranet webportal at hq, it would never be reachable. ?


you can ofc use split tunnel, if your want some kind of private name resolving you need something additional.


i think lots of people using cloud file scharing/drives like dropbox of onedrive nowadays. 

Kind of a big deal

Yes, it should be reachable.

Kind of a big deal



You may find it helpful to investigate what can be done with JumpCloud, which provides Active Directory as a Service. It is right at the top of my list as Azure makes too many assumptions about what hardware branch offices may have. There is information about using JumpCloud with Meraki.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

I'm still struggling to understand why this isn't achievable with Auto-VPN between the MX's in split tunnel mode? Proxy all DHCP to your DHCP server at HQ and DNS requests to your DNS servers. All internet traffic will breakout via the local internet at the site.




Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

The way we've set it up on our remote sites is that all MPLS traffic is on one VLAN and Breakout on another. 

If your request is(resolved) to an MPLS IP, it's routed to there. If it resolved to a Public IP, it's routed to the breakout.


Comes here often

Thank you for your reply and suggestion,  we do not have the luxury of an MPLS, it is not cost effective enough for us to have a dedicated connection to such a small site hence the reason for 2 x MX's and the set up of a VPN.


This sounds like a positive solution to our problem, I will change some settings on the MX devices to match your suggestion and feedback the result.


Thank you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.