Meraki MX400 NAT Question

dafyre

Hey All,

I am posting this for a friend... Basically, he has a network with 4 vlans....
VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
VLAN 30: 192.168.30.0/24
VLAN 40: 192.168.40.0/24

In the past at his employer, the networks were set up so that traffic leaving the network would have a different public IP address, depending on what VLAN it came from. They recently switched to Meraki and are now seeing a need to set this back up again.

Traffic from vlan 10 (192.168.10.0/24) would go through the firewall and wind up on public address 90.38.27.5.

VLAN 20 would get 90.38.27.6
VLAN 30 would get 90.38.27.7
and VLAN 40 would get 90.38.27.8

Is there a way to set this up on the Meraki? I have never seen a "business class" firewall unable to do this.

*these IP addresses are totally made up and not real IP addresses.

@Markferron

JaredBusch

Sorry no experience with it because I opted out of paying for their premiums. If I had access to one I could probably find it but no clue.

rustcohle

@dafyre You should be prepared for plenty of things their that even their $40,000 firewall can't do, unfortunately.

I can tell you that as of 12 months ago on an MX80 its not possible. I have customers that insist we use them but I refuse to sell them.

Meraki started as RoofNet, then they screwed all us original supporters over and started making network hardware. I got on board early on, then the price jacking started along with the hiring of annoying Stanford grad sales reps working their starter job.

If you crave all the network visibility of Meraki just deploy Ubiquiti Unifi on EC2 and enjoy saving 75% off all your hardware purchases. You get great visibility and control and Meraki doesn't own your customer -- you do. The cloud and network monitoring dashboard has AT LEAST feature parity.

scottalanmiller

@dafyre said in Meraki MX400 NAT Question:

Is there a way to set this up on the Meraki? I have never seen a "business class" firewall unable to do this.

Well, due to market position, Meraki isn't really "business class". Business class has to be a moving target as defined by the market. And Ubiquiti, due to their pricing, kind of define the entry point of business class. Anything that falls below what a $65 home router can do, is a hobby product at best. And Meraki falls way below that point. Meraki, regardless of who owns it or how expensive it is, literally falls below the "home line" for a large percentage of people here.

Mike Davis

I have a client with a MX64 and it looks to me like under Security appliance -> Appliance Status -> Uplink you would configure your WAN interface for the public IPs.

Then under Security appliance -> Addressing & VLANs Add a static route to take all the traffic for each VLAN and tell it which one of the public IPs to use going out.

dafyre

@Mike-Davis said in Meraki MX400 NAT Question:

I have a client with a MX64 and it looks to me like under Security appliance -> Appliance Status -> Uplink you would configure your WAN interface for the public IPs.

Then under Security appliance -> Addressing & VLANs Add a static route to take all the traffic for each VLAN and tell it which one of the public IPs to use going out.

Hey Mike,

Thanks for the heads up. I'll have to see if we can work that out!

Markferron

@Mike-Davis Thanks Mike! I talked to Meraki support yesterday and that's exactly what the tech told me. I was just surprised that it was the basically the only solution.

rustcohle

I had the same issue, same solution before Cisco owner meraki.

Cisco also has a habit of flat dropping features and whole products after acquisition. I had an engineering firm who was floored when they dropped wan caching the other year. They bacially said "it doesn't work very well so we quick". Same thing with rebadging of qnap devices. Same thing with Linksys. Same thing with Cisco webmail, which I actually loved. I could go on...

JaredBusch

@Markferron said in Meraki MX400 NAT Question:

@Mike-Davis Thanks Mike! I talked to Meraki support yesterday and that's exactly what the tech told me. I was just surprised that it was the basically the only solution.

Behind the scenes, those settings are just creating Source NAT (SNAT) and Destination NAT (DNAT) rules for each subnet.

That is simply how NAT works. I can show you how to do the same thing on an EdgeRouter.

You always assign the ISP IP block to your WAN and then use SNAT/DNAT to tell things where to go internally.

dafyre

@JaredBusch said in Meraki MX400 NAT Question:

@Markferron said in Meraki MX400 NAT Question:

@Mike-Davis Thanks Mike! I talked to Meraki support yesterday and that's exactly what the tech told me. I was just surprised that it was the basically the only solution.

Behind the scenes, those settings are just creating Source NAT (SNAT) and Destination NAT (DNAT) rules for each subnet.

That is simply how NAT works. I can show you how to do the same thing on an EdgeRouter.

You always assign the ISP IP block to your WAN and then use SNAT/DNAT to tell things where to go internally.

Sadly, they're stuck with the Meraki for the time being.

scottalanmiller

@dafyre said in Meraki MX400 NAT Question:

Sadly, they're stuck with the Meraki for the time being.

What makes them stuck?

coliver

@dafyre said in Meraki MX400 NAT Question:

@JaredBusch said in Meraki MX400 NAT Question:

@Markferron said in Meraki MX400 NAT Question:

@Mike-Davis Thanks Mike! I talked to Meraki support yesterday and that's exactly what the tech told me. I was just surprised that it was the basically the only solution.

Behind the scenes, those settings are just creating Source NAT (SNAT) and Destination NAT (DNAT) rules for each subnet.

That is simply how NAT works. I can show you how to do the same thing on an EdgeRouter.

You always assign the ISP IP block to your WAN and then use SNAT/DNAT to tell things where to go internally.

Sadly, they're stuck with the Meraki for the time being.

Man, for the price of a license refresh you could get an even more powerful router from another vendor.

scottalanmiller

@coliver said in Meraki MX400 NAT Question:

@dafyre said in Meraki MX400 NAT Question:

@JaredBusch said in Meraki MX400 NAT Question:

@Markferron said in Meraki MX400 NAT Question:

@Mike-Davis Thanks Mike! I talked to Meraki support yesterday and that's exactly what the tech told me. I was just surprised that it was the basically the only solution.

Behind the scenes, those settings are just creating Source NAT (SNAT) and Destination NAT (DNAT) rules for each subnet.

That is simply how NAT works. I can show you how to do the same thing on an EdgeRouter.

You always assign the ISP IP block to your WAN and then use SNAT/DNAT to tell things where to go internally.

Sadly, they're stuck with the Meraki for the time being.

Man, for the price of a license refresh you could get an even more powerful router from another vendor.

A better one

dafyre

Gotta convince the bean counters, and they'll be unhappy for the next 2 to 3 years, lol.

coliver

@dafyre said in Meraki MX400 NAT Question:

Gotta convince the bean counters, and they'll be unhappy for the next 2 to 3 years, lol.

Even if you're saving them money?

Dashrender

@coliver said in Meraki MX400 NAT Question:

@dafyre said in Meraki MX400 NAT Question:

Gotta convince the bean counters, and they'll be unhappy for the next 2 to 3 years, lol.

Even if you're saving them money?

Can't save something that's already spent.

dafyre

@coliver said in Meraki MX400 NAT Question:

@dafyre said in Meraki MX400 NAT Question:

Gotta convince the bean counters, and they'll be unhappy for the next 2 to 3 years, lol.

Even if you're saving them money?

Yepp. AFAIK, the license and maintenance were all rolled together. But this was after I left, so I dunno.

coliver

@Dashrender said in Meraki MX400 NAT Question:

@coliver said in Meraki MX400 NAT Question:

@dafyre said in Meraki MX400 NAT Question:

Gotta convince the bean counters, and they'll be unhappy for the next 2 to 3 years, lol.

Even if you're saving them money?

Can't save something that's already spent.

But you can save against future costs. For instance a 3-year renewal.

Dashrender

@coliver said in Meraki MX400 NAT Question:

@Dashrender said in Meraki MX400 NAT Question:

@coliver said in Meraki MX400 NAT Question:

@dafyre said in Meraki MX400 NAT Question:

Gotta convince the bean counters, and they'll be unhappy for the next 2 to 3 years, lol.

Even if you're saving them money?

Can't save something that's already spent.

But you can save against future costs. For instance a 3-year renewal.

Sure, but that's years from now...

scottalanmiller

@dafyre said in Meraki MX400 NAT Question:

Gotta convince the bean counters, and they'll be unhappy for the next 2 to 3 years, lol.

Why? If you are saving them money, what would make them unhappy?