Hi
I have an MX64 connected to the internet with 2 uplinks. One of them is a metered connection so I do not want client x to use the specified internet connection. But other clients can use both of them.
How can I configure this configuration? I know you can do it with a cellular connection but I do not find it for Internet 1 and Internet 2
Solved! Go to solution.
Hi
Just discovered a way of solving this issue. I used NAT exceptions for the VLAN the device was conected to. That was the only way of getting this to work.
If I turned of NAT on the interface that I do not want the client to connect trough the traffic stops. This is a new feature from version 15 as far as I know. I wrote a little bit more on my blog on this issue: networksandrants.wordpress.com/2019/06/09/limit-device-traffic-to-only-one-mx-uplink/
Assign client x a specific static IP or put him in a separate VLAN and use flow preferences to send him onto the correct connection.
But when WAN 1 is down the traffic will go to WAN2 if I understand correctly. I do not want the client to use WAN2
You can create a deny rule as well. To stop client vlan from going out Wan2
Where can I create a deny rule in the firewall policy for a WAN connection. I'm not sure where I can firewall off 1 of the WAN connections.
Security & SD-WAN" - "Firewall"
@kYutobi that's not going to work. The client is sending traffic to the Internet, not to the WAN IP. Your rule will never match anything, ever 😞
There is no way in Meraki to stop a client from failing over to "the other" WAN connection.
@jdsilva I appreciate the comment but that isn't what he had asked. Nothing to do with stopping failover. Just an FYI. He said he wanted to stop clientx from going out a WAN connection. Can that WAN IP not be blocked?
Hi
I have an MX64 connected to the internet with 2 uplinks. One of them is a metered connection so I do not want client x to use the specified internet connection. But other clients can use both of them.
How can I configure this configuration? I know you can do it with a cellular connection but I do not find it for Internet 1 and Internet 2
Yes, that's exactly what he asked.
When you create Internet Flow Preferences you can specify a prefered WAN interface. However, if that interface fails then the rule will fail over to the other WAN interface, if it's available.
Your logic is completely wrong. Your rule has a destination IP of the WAN interface. Client traffic will never have a destination of the WAN IP. If I'm trying to reach Google, my packets don't have a destination of my WAN interface, they have a destination of Google's IP. This means that if you specify the WAN IP as the destination in an ACL it will never match anything.
Oh ok. Thank you for clarifying. Not ashamed to say I was wrong lol my pride isn't that big. #dontstressit
Hi
Thanks for the reply, it seems like it is not possible to block access to the second WAN connection. This connection is a sattelite connection also so the amount of bandwidth varies.
This is so far the biggest drawback for me with Meraki :'(
Hi
Just discovered a way of solving this issue. I used NAT exceptions for the VLAN the device was conected to. That was the only way of getting this to work.
If I turned of NAT on the interface that I do not want the client to connect trough the traffic stops. This is a new feature from version 15 as far as I know. I wrote a little bit more on my blog on this issue: networksandrants.wordpress.com/2019/06/09/limit-device-traffic-to-only-one-mx-uplink/
Valid point. I don't know how to get around that with a single MX. A solution would be to deploy a separate MX and use different default gateways for each set of clients.