I think this is the problem, in the real world, you have a valid external IP address which is advertised via DNS, this IP is either the MX WAN IP or another IP routed to the MX on the WAN interface. However, when I'm using my mobile on the WiFi connected via VLAN to the LAN interface of the MX, my mobile finds the external IP in DNS but can't connect (just times out).   It seems there are two solutions to this problem 1) (Untested) Have a subnet of IP's routed to your MX WAN IP (minimum of /30), allocate one IP to your MX on a VLAN, allocate another IP in the range to your device. This would avoid using NAT, and therefore should work. I assume you need to allow the traffic on the WAN via your firewall. This wastes two globally valid IP's, and also means you can't use a single IP for different services on different internal machines.   2) (Tested) Use a Internal DNS server that can "see" the request is coming from an internal device, and therefore return the internal IP. When the request is coming from "external" then return the external IP and allow the MX to NAT as normal.   It would be great if we could simply use both NAT for incoming and normal DNS to allow the internal client to connect to the external MX WAN IP and the MX would be smart enough to still NAT that back inside.   eg, MX external IP is 1.1.1.1, we have configured 1:Many NAT so that port 80 is directed to 192.168.0.10:80 DNS says www.meraki.com points to 1.1.1.1 Some random internet user tries to browse to www.meraki.com hits the MX and is NATted to 192.168.0.10:80, which replies and works well. (this currently works) Some internal user on 192.168.0.22 tries to browse to www.meraki.com, connects to 1.1.1.1:80, hits the MX, and the MX redirects (wit NAT) to 192.168.0.10:80, which replies and would work well (currently down't work).   I hope I've explained this well enough, if there is a solution to this problem, then I'd love to hear about it. It would save me having to use my desktop hosts file to fudge it. ... View more