OK everything I said won't work 🙂 This requires a little more thought, I assume you are using the static (while next hop responds to ping) for the MetroNet, (but not having it on any VPN's) are you also advertising the Hub LAN subnets over VPN's on the backup link? I have had issue before thinking traditionally with Meraki gear like having a high cost static if dynamic routing fails; it works just the opposite. Without "cost" on static routing this becomes difficult, do you have dynamic routing behind the MX? I don't think you can achieve all you want to; you can have the internal networks work the way you wish ( go to hub, then fail to vpn), but if the next hop is up but the path is down the VPN will never kick in (blackhole) The other issue is ALL traffic, you can't really advertise the default routing in multiple scenarios; over the static route, then over the VPN efficiently, you still have a blackhole possibility. Is VPN'ing over the Metro network an option? Both ports in WAN 1 and 2 gives you the most options
... View more