3WAN’s into Balance 580x + Meraki Firewall

Hi All,

I am looking for some design suggestions for our new setup.

Current: ISP A-WAN 1 and ISP-WAN 2
Firewall: x2 Meraki MX250 firewalls in HA (currently performing NAT)

New Setup:
ISP A-WAN1, ISP2 B-WAN2, ISP3 C-WAN3
We have x2 Peplink Balance 580’s purchased to accommodate the new setup in HA. Ideally i would like to have WAN 2 and 3 load balanced. WAN1 reserved for a specific VLAN however in the event WAN1 is offline, that VLAN failsover to WAN2.

Any ideas on how i can setup the balance to accommodate the new design?

Set an outbound policy for any / any load balnced across WAN2+3.

Above that create a priority based policy with WAN1 first then WAN2 as destination, source set as the VLAN / subnet.

Hi Martin,

Thank you very much. Could you provide me further clarity on the below if that’s OK. Do you mean create policy 1 for WAN1 outbound with the source VLAN and then another for the same VLAN but WAN2? Just want to understand what this will look like since im planning to test it this coming weekend.

Also WAN2 and WAN3 i presume i need to create a NAT rule on the peplink? to the meraki? The meraki’s are already performing NAT.

“Above that create a priority based policy with WAN1 first then WAN2 as destination, source set as the VLAN / subnet.”

Are you replacing the Meraki MX250 with the Peplink 580X entirely or are the 580s going in front of the MX250?

If the latter is the case you would need to build a couple of VLANs on the 580X to provide the MX250 with 2 WANs, this is because you cannot disable NAT on the Meraki so the 580X would only ever see a single source IP (that of the WAN interfaces on the MX250) and will never see the source IP of the clients behind the MX.

Once you’d done that then you would need 2 outbound rules, one to match traffic sent from MX250 WAN-1 and one to match traffic from MX250 WAN-2.

For example:

2x VLANs added to 580X to use as link nets to the MX250 WANs:

(assume you use another network for the 580X HA setup and you are not doing stateful failover on the MX250 but you can expand this accordingly)

192.168.10.0/24 = Link from 580X to MX250 WAN-1
192.168.10.1 = 580X IP
192.168.10.2 = Primary MX250 WAN-1
192.168.10.3 = Backup MX250 WAN-1

192.168.20.0/24 = Link from 580X to MX250 WAN-2
192.168.20.1 = 580X IP
192.168.20.2 = Primary MX250 WAN-2
192.168.20.3 = Backup MX250 WAN-2

I would then make two grouped networks on the 580X to match the MX250 WAN source IPs though this is optional and you could just match the entire subnet for each link net.

MX250-WAN-1 = 192.168.10.2/32 + 192.168.10.3/32

Screenshot 2024-09-03 at 09.53.351166×922 32.4 KB

MX250-WAN-2 = 192.168.20.2/32 + 192.168.20.3/32

Screenshot 2024-09-03 at 10.01.101150×914 36 KB

Outbound policy would then look something like this:

Load balance traffic sourced from MX250-WAN-1 across 580X WAN2 + WAN3

Screenshot 2024-09-03 at 09.55.492514×1106 196 KB

Traffic sourced from MX250-WAN-2 sent via 580X WAN1 failover to WAN2.

Screenshot 2024-09-03 at 10.02.462496×1112 191 KB

On your MX250 you would then need to use the SD-WAN / traffic shaping config to steer the traffic so that it would leave the MX250 on the appropriate WAN:

Screenshot 2024-09-03 at 09.48.372086×816 129 KB

In that example 10.20.30.0/24 would be sent via MX250 WAN-2 and then be processed by the 580X OBP and sent to 580X WAN1 with failover to 580X WAN2. All other traffic from the MX250 would be sent via WAN1 and be load balanced across 580X WAN2 and 580X WAN3.

Failover might need some testing and various failure cases of the different ISP links to check the behaviour as you cannot tell the MX to simply drop traffic if say both ISP2 and ISP3 fail at the same time the MX250 will route its traffic via WAN2 which would result in the 580X then sending that traffic to ISP1.

Not sure what you mean by that, the 580X would NAT traffic to its WAN IP by default, if you needed to forward ports back to the MX for anything coming from the WAN side of the 580X that needs to be forwarded to say a server behind the MX250 then yes you’d need to define some inbound NAT rules pointing to the WAN IPs of the MX250s.

Thank you Will, this is very helpful. The Peplink 580x will be going in front of the Meraki’s correct. Regarding WAN 3 how does this come into play since it would be great to have WAN 2+3 used together. Regarding WAN1 i would like this to be reserved for a specific VLAN only. In the event WAN1 goes down then re-re-route over WAN2 or 3. In the event WAN2+3 are down then move everyone to use WAN1. would this work?
I believe it may be possible to disable NAT on the meraki but i have to call into support.

Regarding NAT. The design docs i saw from Peplink mentioned WAN 1 drop in mode and WAN 2 and 3 NAT’d to the meraki? But the Meraki is already performing NAT so i was worried it may be a double NAT scenario.

That is covered in the example outbound policy I gave above, it would be load balanced yes, you could choose a different algorithm depending on what might best suit your needs there.

What algorithm might work best for you could need a little experimentation, it may also depend on exactly what type and capabilities your three ISP connections actually provide too - are they all generally even performance or do you need to try and balance traffic across them in an uneven fashion?

One issue though will always be that as there is NAT between the MX250 and the 580X the 580X only really sees a single source IP to work with so it will mostly be relying on the destination to determine how to distribute traffic flows.

Again, I gave you an example of an outbound policy rules that if configured on the 580X does just that.

Yes, you could put another rule together that would do that.

On the 580X the rules are processed top down and in order, you could have a catch all rule below the two examples I gave above to achieve this, you could also rely on the default rule to do the same - there are a few different ways to get the same result, again personally I like to have explicit rules configured where I can to make it very clear how I want the 580X to treat traffic flows.

I personally do not use drop in mode very often so I’m not overly familiar with the implications of how it would work here, Martin might be able to offer some better guidance - personally I am not a fan of things that look like transparent bumps in the network as I find they are often much harder to debug than a proper routed implementation if things are not behaving as expected.

Good luck with that - again personally when it comes to Meraki anything that requires you to engage their support desk to implement custom configuration outside of what is visible to the customer in the dashboard is often a tedious process and again creates issues where you cannot easily modify the config without again engaging their support team.

Yes it probably will mean having two layers of NAT here, but I doubt there is a whole lot you could do about that mostly due to the limitations in what Meraki let you do on the MX.

A more radical approach would be to remove the MX250 entirely and just use the 580X as your main router/firewall but that might depend on what other features of the MX you are using.

I would add at this point the sort of config you are looking for is really quite a basic function of the 580X and very easy to implement with a little understanding of the limitations of the Meraki side of things - maybe ask whatever local partner you purchased them from if they would also help you do the initial setup?

Thank you @WillJones. Il do some testing this weekend. All 3 circuits are 1G. WAN 3 is microwave but i’d still like to use it combined with WAN 2.
With regards to HA for the 580X. Would i need seperate IP’s? I have x2 so i’d like to setup them up in HA like i have with the Meraki’s.

580X HA:
You need 3x IPs for the HA to be configured on the LAN side, but only on one set of interfaces, i.e. you do not need 3x IPs for every VLAN.

I would probably use the untagged VLAN on the 580X to build the HA setup and use 3x IPs from an existing management network:

580X HA IP
580X Primary LAN IP
580X Standby LAN IP

The HA is using VRRP so you may want to check there is no conflict with your Meraki HA setup.

Build all the HA config before you begin other tasks as you can just have it sync the config from the primary to the standby.

For the WAN connections to the 580X HA pair you only need a single IP for each WAN, if the primary fails then the standby takes over and can use the same interface address (Peplink also uses VRRP MAC addresses on the WAN side once you enable HA so again you might want to check for any possible conflicts).

Last thing to consider would be the physical cabling of all of this, hopefully you have a couple of managed switches that all of these things would connect via, whilst also considering the phyiscal capacity of these links (3x 1G WAN you might want to consider implementing LACP on the 580X and using a 3x1G bundle to a switch for the “LAN” interfaces to avoid a potential bottleneck).

Thank you Will, I only have a /29 block in which all 6 IP’s are used on the Meraki Firewalls, will i need extra for the Peplink?

Regarding the switch in between the LAN and firewall, how should this be setup for WAN1 WAN2 and 3? I tried to setup WAN2 but i couldnt get it working as the Meraki said “failed”

@WillJones the LAN VLans on the peplink, can they be anything or should they be specifically configured for the wan IP?

@WillJones the LAN VLans on the peplink, can they be anything or should they be specifically configured for the wan IP

Might be helpful if you can share a network diagram here, logical and physical please so we can try and work out what would work for you, including where every device is being physically connected including the ISP routers.

Links between the 580X LAN and MX250 WANs can be whatever you want really, I gave you some examples but you can adjust the vlan tags, subnets and so on to meet your needs and fit into your network.

@WillJones thank you that is very helpful. So on the Peplink LAN port i can configure a 192 subnet or 10 subnet and use that across to Meraki just to confirm.