there's no vip between Mx uplink ip. 

if you’re running warm spare without a Virtual IP (VIP), failover will work for outbound, but inbound and VPN traffic will behave differently:

What happens now without a VIP

• Auto VPN (Meraki2Meraki): Will automatically re-establish to the secondary’s public IP when failover happens. There’s a short outage during tunnel re-negotiation.
• Non-Meraki VPN peers: The remote side must be able to connect to both WAN IPs (primary and secondary). If it only dials the primary IP, failover will break the tunnel until you change it.
• Client VPN (RA VPN): The public endpoint changes to the secondary MX’s IP on failover. If users connect via the Meraki DDNS hostname, it updates automatically; if they use a fixed IP, they’ll need to switch to the secondary.
• DNAT/Port Forwards: Inbound traffic will only work to the active MX’s public IP. If your DNS still points to the primary IP after failover, inbound will fail until you update it.

Why??? Without a VIP, the active MX’s public IP changes during failover. Anything pointing to the old IP will stop working until you re-point it.

How to fix it If both MX uplinks are on the same ISP subnet:

1. Go to Security & SD-WAN → Appliance Status → Uplink configuration.
2. Enable Use virtual uplink IPs.
3. Assign an unused public IP from the same /29 as the VIP.
4. Update your DNS/VPN peers to point to the VIP.
   This way, Auto VPN, Client VPN, and DNAT will all use the same IP before and after failover — no DNS changes needed.

If your uplinks are on different ISP subnets and you can’t use VIP:

• Use an FQDN for VPN and inbound services with a low TTL.
• Configure both MX public IPs on remote VPN peers.
• Automate DNS failover to the secondary IP when the primary is down.

Thank you for detailed information. Can i use remaining public ip for dnat rules 

public pool 1.1.1.0/29

Mx1 1.1.1.2/29

Mx2 1.1.1.3/29

vip .1.1.1.4/29

Can i use remaining 1.1.1.5 and 1.1.1.6 for dnat

Short answer: Yes. You can use 1.1.1.5 and 1.1.1.6 for DNAT (1:1 or 1:Many) and they will fail over cleanly between the MXs as long as they’re on the same WAN segment as your VIP and your ISP/L3 upstream delivers that /29 on the wire.

What this means in practice

• Your setup:
• MX1: 1.1.1.2/29
• MX2: 1.1.1.3/29
• VIP: 1.1.1.4/29
• Free: 1.1.1.5, 1.1.1.6 (usable)
• Presumed: 1.1.1.1 = ISP gateway, .0 network, .7 broadcast (not usable)
• Failover behavior: The active MX will ARP for the VIP and any DNAT public IPs you configure on that uplink. On failure, ARP ownership moves to the spare—so inbound to .5/.6 keeps working without DNS changes.

How to configure (Meraki Dashboard)

1. Confirm both MX WAN ports are on the same L2 segment from the ISP, using the same /29.
2. Enable VIP (which you’ve done) under Security & SD-WAN → Appliance status → Uplink → Use virtual uplink IPs.
3. Add the extra public IPs to the uplink that will host the NAT:
• Security & SD-WAN → Appliance status → Uplink → Additional public IPs (WAN1 or WAN2 as appropriate). Add 1.1.1.5 and 1.1.1.6.
4. Create DNAT rules:
• 1:1 NAT: Security & SD-WAN → Firewall → 1:1 NAT; set Public IP = 1.1.1.5 (or .6), map to the internal host.
• 1:Many NAT / Port forwards: Add rules and select the added public IP in “Public IP”.

Key caveats (don’t skip)

• Those extra IPs must be routed/advertised by the ISP on the same access circuit. If the ISP is doing any upstream NAT or filtering ARP, tell them you’ll be ARP-owning .5/.6 on that interface.
• Additional public IPs are per uplink. Only add .5/.6 on the uplink whose subnet they belong to (here, WAN1 if that’s where the /29 lives).
• Client VPN & AutoVPN can keep using the VIP (.4). DNAT can use .5/.6. Mixing is fine.
• Don’t reuse .1 (likely ISP gateway) or .0/.7.

If all of the above checks out, you’re good: 1.1.1.5 and 1.1.1.6 are ideal for DNAT with seamless HA.

Once again a very thank you for detailed explanation. As per your post below is my understanding. Please correct me if im wrong somewhere.

Setup as below

isp gateway 1.1.1.1/29

Mx1- 1.1.1.2/29

Mx2-1.1.1.3/29

vip- 1.1.1.4/29

Dnat will use 1.1.1.5 and 1.1.1.6. Here we dont need to do any changes in warmspare configuration with respect to uplink/vip, whatever changes required will be for 1:1 Nat or 1:Many configuration

Your understanding is correct.

If both MX WAN ports are on the same L2 from the ISP and the /29 is delivered on the wire, assigning VIP (.4) plus additional public IPs (.5, .6) works: VIP handles AutoVPN and Client VPN without interruption, while DNAT rules against .5/.6 float seamlessly during warm-spare failover.

Just add the additional IPs under Security & SD-WAN > Configure > Firewall, set up your DNAT rules, and point all VPN traffic at the VIP.

Refer to the Meraki Documentation: https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

https://meraki.cisco.com/blog/2014/08/1many-nat-for-meraki-mx/

there's no vip between Mx uplink ip. 

So the IP used is from the Primary, if it becomes inactive the IP used is from the secondary when it takes over, in any case you can use the FQDN to connect and not worry about the IP.