Specify internet provider for a client

SOLVED
goggel
Here to help

Specify internet provider for a client

Hi

 

I have an MX64 connected to the internet with 2 uplinks. One of them is a metered connection so I do not want client x to use the specified internet connection. But other clients can use both of them.

 

How can I configure this configuration? I know you can do it with a cellular connection but I do not find it for Internet 1 and Internet 2

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
1 ACCEPTED SOLUTION

Hi

 

Just discovered a way of solving this issue. I used NAT exceptions for the VLAN the device was conected to. That was the only way of getting this to work.

 

If I turned of NAT on the interface that I do not want the client to connect trough the traffic stops. This is a new feature from version 15 as far as I know. I wrote a little bit more on my blog on this issue: networksandrants.wordpress.com/2019/06/09/limit-device-traffic-to-only-one-mx-uplink/

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

12 REPLIES 12
BrechtSchamp
Kind of a big deal

Assign client x a specific static IP or put him in a separate VLAN and use flow preferences to send him onto the correct connection.

2019-04-26 11_49_31-Window.png

But when WAN 1 is down the traffic will go to WAN2 if I understand correctly. I do not want the client to use WAN2

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
kYutobi
Kind of a big deal

You can create a deny rule as well. To stop client vlan from going out Wan2

Enthusiast

Where can I create a deny rule in the firewall policy for a WAN connection. I'm not sure where I can firewall off 1 of the WAN connections.

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
kYutobi
Kind of a big deal

Security & SD-WAN" -  "Firewall"

 

Enthusiast
jdsilva
Kind of a big deal

@kYutobi that's not going to work. The client is sending traffic to the Internet, not to the WAN IP. Your rule will never match anything, ever 😞

 

There is no way in Meraki to stop a client from failing over to "the other" WAN connection. 

kYutobi
Kind of a big deal

@jdsilva I appreciate the comment but that isn't what he had asked. Nothing to do with stopping failover. Just an FYI. He said he wanted to stop clientx from going out a WAN connection. Can that WAN IP not be blocked?

 

Hi

 

I have an MX64 connected to the internet with 2 uplinks. One of them is a metered connection so I do not want client x to use the specified internet connection. But other clients can use both of them.

 

How can I configure this configuration? I know you can do it with a cellular connection but I do not find it for Internet 1 and Internet 2

Enthusiast
jdsilva
Kind of a big deal

Yes, that's exactly what he asked. 

 

When you create Internet Flow Preferences you can specify a prefered WAN interface. However, if that interface fails then the rule will fail over to the other WAN interface, if it's available. 

 

Your logic is completely wrong. Your rule has a destination IP of the WAN interface. Client traffic will never have a destination of the WAN IP. If I'm trying to reach Google, my packets don't have a destination of my WAN interface, they have a destination of Google's IP.  This means that if you specify the WAN IP as the destination in an ACL it will never match anything. 

 

 

kYutobi
Kind of a big deal

Oh ok. Thank you for clarifying. Not ashamed to say I was wrong lol my pride isn't that big. #dontstressit

Enthusiast

Hi

Thanks for the reply, it seems like it is not possible to block access to the second WAN connection. This connection is a sattelite connection also so the amount of bandwidth varies.

 

This is so far the biggest drawback for me with Meraki :'(

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Hi

 

Just discovered a way of solving this issue. I used NAT exceptions for the VLAN the device was conected to. That was the only way of getting this to work.

 

If I turned of NAT on the interface that I do not want the client to connect trough the traffic stops. This is a new feature from version 15 as far as I know. I wrote a little bit more on my blog on this issue: networksandrants.wordpress.com/2019/06/09/limit-device-traffic-to-only-one-mx-uplink/

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
BrechtSchamp
Kind of a big deal

Valid point. I don't know how to get around that with a single MX. A solution would be to deploy a separate MX and use different default gateways for each set of clients.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels