Meraki

Community

Specify internet provider for a client

Solved
goggel
Here to help
‎Apr 26 2019 2:44 AM
‎Apr 26 2019 2:44 AM

Specify internet provider for a client

Hi

 

I have an MX64 connected to the internet with 2 uplinks. One of them is a metered connection so I do not want client x to use the specified internet connection. But other clients can use both of them.

 

How can I configure this configuration? I know you can do it with a cellular connection but I do not find it for Internet 1 and Internet 2

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
1 Accepted Solution
In response to goggel
goggel
Here to help
‎Jun 9 2019 4:55 PM
‎Jun 9 2019 4:55 PM

Hi

 

Just discovered a way of solving this issue. I used NAT exceptions for the VLAN the device was conected to. That was the only way of getting this to work.

 

If I turned of NAT on the interface that I do not want the client to connect trough the traffic stops. This is a new feature from version 15 as far as I know. I wrote a little bit more on my blog on this issue: networksandrants.wordpress.com/2019/06/09/limit-device-traffic-to-only-one-mx-uplink/

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

0 Kudos
12 Replies 12
BrechtSchamp
Kind of a big deal
‎Apr 26 2019 2:50 AM
‎Apr 26 2019 2:50 AM

Assign client x a specific static IP or put him in a separate VLAN and use flow preferences to send him onto the correct connection.

2019-04-26 11_49_31-Window.png

In response to BrechtSchamp
goggel
Here to help
‎Apr 26 2019 2:59 AM
‎Apr 26 2019 2:59 AM

But when WAN 1 is down the traffic will go to WAN2 if I understand correctly. I do not want the client to use WAN2

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to goggel
kYutobi
Kind of a big deal
‎Apr 26 2019 3:27 AM
‎Apr 26 2019 3:27 AM

You can create a deny rule as well. To stop client vlan from going out Wan2

Enthusiast
0 Kudos
In response to kYutobi
goggel
Here to help
‎Apr 26 2019 3:41 AM
‎Apr 26 2019 3:41 AM

Where can I create a deny rule in the firewall policy for a WAN connection. I'm not sure where I can firewall off 1 of the WAN connections.

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to goggel
kYutobi
Kind of a big deal
‎Apr 26 2019 6:28 AM
‎Apr 26 2019 6:28 AM

Security & SD-WAN" -  "Firewall"

 

Enthusiast
0 Kudos
In response to kYutobi
jdsilva
Kind of a big deal
‎Apr 26 2019 7:03 AM
‎Apr 26 2019 7:03 AM

@kYutobi that's not going to work. The client is sending traffic to the Internet, not to the WAN IP. Your rule will never match anything, ever 😞

 

There is no way in Meraki to stop a client from failing over to "the other" WAN connection. 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
kYutobi
Kind of a big deal
‎Apr 26 2019 8:00 AM
‎Apr 26 2019 8:00 AM

@jdsilva I appreciate the comment but that isn't what he had asked. Nothing to do with stopping failover. Just an FYI. He said he wanted to stop clientx from going out a WAN connection. Can that WAN IP not be blocked?

 

Hi

 

I have an MX64 connected to the internet with 2 uplinks. One of them is a metered connection so I do not want client x to use the specified internet connection. But other clients can use both of them.

 

How can I configure this configuration? I know you can do it with a cellular connection but I do not find it for Internet 1 and Internet 2

Enthusiast
0 Kudos
In response to kYutobi
jdsilva
Kind of a big deal
‎Apr 26 2019 8:06 AM
‎Apr 26 2019 8:06 AM

Yes, that's exactly what he asked. 

 

When you create Internet Flow Preferences you can specify a prefered WAN interface. However, if that interface fails then the rule will fail over to the other WAN interface, if it's available. 

 

Your logic is completely wrong. Your rule has a destination IP of the WAN interface. Client traffic will never have a destination of the WAN IP. If I'm trying to reach Google, my packets don't have a destination of my WAN interface, they have a destination of Google's IP.  This means that if you specify the WAN IP as the destination in an ACL it will never match anything. 

 

 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
kYutobi
Kind of a big deal
‎Apr 26 2019 8:11 AM
‎Apr 26 2019 8:11 AM

Oh ok. Thank you for clarifying. Not ashamed to say I was wrong lol my pride isn't that big. #dontstressit

Enthusiast
In response to kYutobi
goggel
Here to help
‎Apr 29 2019 2:18 AM
‎Apr 29 2019 2:18 AM

Hi

Thanks for the reply, it seems like it is not possible to block access to the second WAN connection. This connection is a sattelite connection also so the amount of bandwidth varies.

 

This is so far the biggest drawback for me with Meraki :'(

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to goggel
goggel
Here to help
‎Jun 9 2019 4:55 PM
‎Jun 9 2019 4:55 PM

Hi

 

Just discovered a way of solving this issue. I used NAT exceptions for the VLAN the device was conected to. That was the only way of getting this to work.

 

If I turned of NAT on the interface that I do not want the client to connect trough the traffic stops. This is a new feature from version 15 as far as I know. I wrote a little bit more on my blog on this issue: networksandrants.wordpress.com/2019/06/09/limit-device-traffic-to-only-one-mx-uplink/

Networks and Rants


Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to goggel
BrechtSchamp
Kind of a big deal
‎Apr 26 2019 3:36 AM
‎Apr 26 2019 3:36 AM

Valid point. I don't know how to get around that with a single MX. A solution would be to deploy a separate MX and use different default gateways for each set of clients.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.