Meraki

Community

Source-based default route with Auto VPN

Solved
djgrothe
Conversationalist
‎Nov 8 2024 7:05 AM
‎Nov 8 2024 7:05 AM

Source-based default route with Auto VPN

Hello,

 

I have an MX84 that I would like to function as an Auto VPN hub and gateway for a segregated wireless network. 

 

I'm looking to enable a default route that forwards all traffic originating from my Auto VPN to a next hop IP on a LAN subnet. This part seems to work fine with a VPN-enabled static route.

 

However, I would also like my wireless VLAN to ignore this route and use the WAN interface for outbound traffic.

 

 

I had initially planned to solve this by adding a source-based default route, but Meraki does not allow me to set the next-hop IP in the WAN subnet for some reason:

 

djgrothe_0-1731077684519.png

djgrothe_1-1731077758177.png

 

The other potential solution I can think of would be to add a source-based default route for just the Auto VPN traffic, but Meraki does not allow me to add IP ranges to the source that is not on a local subnet.

 

 

Has anyone else encountered this, or have any insight for another possible solution?

 

Thank you.

0 Kudos
1 Accepted Solution
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 8 2024 8:27 AM
‎Nov 8 2024 8:27 AM

Something along these linesSource based Internet.jpg

View solution in original post

4 Replies 4
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 8 2024 7:18 AM
‎Nov 8 2024 7:18 AM

Why do you need the route for the inbound AutoVPN traffic to be a default one, to an a LAN-side destination?

I assume your MX is in routed mode and is also providing local firewall services for the site in question?

0 Kudos
In response to GreenMan
djgrothe
Conversationalist
‎Nov 8 2024 7:31 AM
‎Nov 8 2024 7:31 AM

The MX is in routed mode, but we have a separate FTD firewall we would like to use for all internal-internet traffic. The LAN-side default route allows outbound traffic to be forwarded there instead.

This is in contrast to the segregated wireless traffic, which I would like to forward directly to the WAN ideally.

0 Kudos
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 8 2024 8:10 AM
‎Nov 8 2024 8:10 AM

Just one thought;   You could maybe try linking your MX to your FTD via one WAN port and to it's own Internet link via the other WAN port - then use SD-WAN flow preferences to route Internet traffic from different sources via the appopriate WAN uplink.   Bear in mind that should an uplink fail then traffic would fail over to using the other link.

Note that you could still have your (non-wireless) local LAN traffic hit the FTD directly, by defining it as the Default Gateway for those VLANs (this would likely avoid asymmetric routing too) - but using an SVI on the MX as the gateway for your wireless users.

GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 8 2024 8:27 AM
‎Nov 8 2024 8:27 AM

Something along these linesSource based Internet.jpg

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.