Need feedback on this proposed config:
I am going to be retiring a set of Meraki MX/MS systems and the servers behind them that were configured as public pass-through for hosting websites. The meraki and the switches and all servers behind it were configured with public IP addresses, but only certain ports were passed through the firewall. the system was also set up for client VPN to handle managing it. Not all servers had ports pushed through as they weren't all web servers.
All that was configured by myself and I know it well. In order to fulfill data retention requirements for some period of time I intend to move this entire set of servers and network equipment into a local setup - with all the settings remaining the same. I do not intend to make those addresses available from outside the local private network. What I would like to do this this:
* Set up a VLAN on my local network with the existing public IP address range (say it's 198.201.233.x/24 gateway 198.201.233.1- it's not but for the sake of the example)
* Set one port to default to that VLAN on either a meraki switch or on my mx.
* Connect the existing Meraki MX, configured as before, with the Internet part (configured for 198.201.233.2 with the .1 gateway). Connect the switch to the meraki mx, connect all the other devices to the same ports they were connected to on the Meraki switch, and power them up with their 198.201.233.x addresses intact.
* There will be one public facing MX router with a connection to the internet.
* The existing router will go behind the public facing one, and will not need ports punched through to it from the internet - it only needs to be internally accessible on the ports it's currently externally accessible from. Internal devices will be on other private subnets behind the first firewall, but not the second.
Questions for the peanut gallery:
* I assume I should remove any meraki site-to-site VPN connections to the second MX as that won't resolve since it doesn't have a unique public IP (other than the same public IP as the main router)
* I assume that since I have a meraki behind a meraki I cannot client VPN into the relocated MX that is behind the first mx directly? They would both have the same public IP address, and punching ports through from the public facing mx to the private one would prevent public facing client vpn.
* I would need a locally connnected device in the 198.201.233.x range behind the second firewall to manage the devices in that network. and then a secure non-clientvpn way to access that device?
* Do i need to do anything special on the public facing meraki to reroute internal traffic intended for 198.201.233.x to the internal network rather than the external address. I don't expect to be using that public ip range in the future (at least until my data retention contract runs out). I am fine with rerouting it to the internal net indefinitely, and understand the ramifications of that.
I know this is a weird ask but assume it's doable with some limitations (like no direct client VPN)
Solved! Go to solution.
OK after much mucking around I got this all working. Some notes:
Thanks for the help and pointers. I basically relocated my entire web infrastructure off shared hosting and into an archival state in under a day. Pretty good really. Gotta love Meraki.
1) AutoVPN can work on the MX behind the other MX, if IPSEC then you can allow it through
2) You can redirect the client VPN through the initial MX to the internal one, one way would be to have it appear as a different IP in the external range.
3) There are a lot of options here depending on what you do in 1) and 2)
4) If you want to use the non interface IPs behind the first MX, then you need port redirection to the internal devices
so if I punch the ipsec ports through to the secondary MX, won't that intefere with VPN to the primary MX? Just trying to think this through ahead of time. My thought was:
* I have workstations that are between the two (behind the primary mx, but in front of the secondary) I can potentially cliend vpn to the secondary mx from those workstations to manage the devices behind the secondary MX - essentially as I do now to manage them over the autovpn. I'd just need to use client VPN instead of the current MX to MX autovpn, since it's behind the first MX now. I can currently client VPN to my devices that are out there on the public internet using client vpn.
* I don't really need to remote into the stuff behind the secondary MX from the internet - in fact it would be preferable to NOT do that.
* I do know that I could punch remote desktop ports through to the secondary servers and limit them to the ip addresses of the primary network if necessary. Less secure though.
Having two routers in series (the public-facing MX and the internal MX) might introduce double NAT issues, potentially affecting network performance and some applications.
Well aware. In this case the moved servers are there only for backup and archive purposes and won't be able to be accessed from the internet at all, nor do they need to really access the internet (though they can) since once the retention period expires I'll be purging them.
OK after much mucking around I got this all working. Some notes:
Thanks for the help and pointers. I basically relocated my entire web infrastructure off shared hosting and into an archival state in under a day. Pretty good really. Gotta love Meraki.