A few things occur to me on this: Unusual for an application simply not to work over VPN (?) You mention a private network, but the diagram shows only the Internet? If you connect the MXs to the private network via a WAN port, you will need to ensure there is Internet breakout available to the MXs via that path, in order for the WAN links to come up. Under the scenario referenced previously however, note that VPN mode = disabled VLANs do have their source addresses NATed outbound over the MX WAN port, which I think you want to avoid. If you connect via a WAN port, you could have no-NAT enabled by Meraki Support (this is what you referenced in regards forum posts, in your query) - you can have this enabled per VLAN, so as not to affect other traffic. If you set up the relevant clients / hosts at each end to be in such VLANs, this might work for you - but be aware that no-NAT is a beta capability. Have a careful read of this: https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Appliances You could interconnect the two MXs using LAN ports instead, via transit VLANs and some static routing - such traffic is not NATed You'll need to consider that that path would then need to be OK for all traffic between those subnets. https://documentation.meraki.com/MX/Networks_and_Routing/MX_Addressing_and_VLANs#Static_routes https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior
... View more