WAN Ports - non-public IP Addresses?

ZDonaldson
Getting noticed

WAN Ports - non-public IP Addresses?

We have 2 MX units in warm spare configuration.  For our backup internet connection, I'm trying to utilize a new 5G internet device from T-mobile.  They will only assign 1 static IP per device.  I was hoping the WAN interfaces would be able to accept DHCP addresses and the static could be assigned to the virtual interface.  

 

I am testing now, I verified that the DHCP addresses assigned to the WAN ports on each device are private IP ranges: 192.168.1.X and the status says "failed".

 

Has anyone been able to make this sort of setup work, or does this ONLY work with 3 static public ip addresses.

Zane D - IT Manager in Sin City NV
9 REPLIES 9
alemabrahao
Kind of a big deal
Kind of a big deal

You can use WAN ports with DHCP private IP address, but I'm not sure if you can set virtual interface with private IP address using DHCP.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

correct, the virtual IP will need to be a static IP address which I am able to obtain.  

 

I don't have that static IP assigned yet, so I'm just testing out the individual WAN ports to ensure they are getting addresses, and they do.  But the status says failed which tells me they can't get out to the dashboard.  I was kind of assuming this would work even without that virtual IP configured.

Zane D - IT Manager in Sin City NV
cmr
Kind of a big deal
Kind of a big deal

If you have configured it to use the interface IP instead of the virtual IP then it should work.  If it is not working then one of the tests that the device makes to see if it can connect to the cloud has failed.  Go to the local status page and it should tell you what the issue is.

Ryan_Miles
Meraki Employee
Meraki Employee

Just to confirm MX with private IPs works fine as long as they can NAT out and reach dashboard. This includes MX HA pairs using a VIP. I do this in my own lab with several MX hubs and spokes all on private/inside IPs. They can all NAT to my Comcast IP on my edge MX and therefore can reach dashboard.

 

In fact it's very similar to your setup in that all my spoke WAN2's connect to a L2 VLAN leading to my cell gateway (Meraki MG) and out via Verizon. So, both my WAN 1 and 2 interfaces on my spokes are using RFC1918 private IPs and NAT out to either Comcast or Verizon.

I was able to use the ping test tool and specify the interface, and traffic out is working great. 

 

The status still says failed, but that may be due to the fact that I don't have the static IP assigned from the ISP yet, so the virtual IP is temporarily an address on a different subnet.

Zane D - IT Manager in Sin City NV
ZDonaldson
Getting noticed

One kinda strange thing I noticed:  the IP addresses assigned to the interfaces on both appliances are in the 192.168.1.X range.  This is via DHCP from the 5G device.  I've changed the virtual IP to be on the same range.

 

But when I look at the appliance status page, I see a status of failed and the interface is displaying this IP address: 172.58.75.152

 

its not stopping outbound traffic from working, but I'm not sure where that address is coming from.

Zane D - IT Manager in Sin City NV

If you're using a VIP for MX HA the IP needs to be in the same subnet as interface IPs.

 

Example

 

WAN 1 192.168.1.2

 

WAN 2 192.168.1.3

 

VIP  192.168.1.1

 

And, dashboard will show the NAT'ed public IP it sees your device coming from hence the 172.58.75.152 IP. Often cell carriers do CGNAT and you'll see two different public IPs listed on the MX page.

crap, this raises a problem.  The static IP they are going to assign will probably be a public IP, which means it won't be in the same subnet as the WAN interfaces...

Zane D - IT Manager in Sin City NV

Typically the Public IP is assigned to the 5G device and those devices typically have 1, 2 or more "LAN" ports. Those 5G device LAN ports would be plugged directly into your Meraki MX or via L2 switch (5G Lan Port connect to Switch port, MX WAN Ports connected to the switch) with all of those switch ports being in the same VLAN and having private IP's in the same address space/vlan.  Your MX WAN configuration should have the Private IP of the 5G device as their Gateway.  

 

So assuming your 5G device configuration as above, should be fine. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels