Hello,
I'm trying to figure out what the following source/dest means from calling the L3FirewallRules on an MX device:
{
"comment": "Deny Inter-VLAN Communication",
"policy": "deny",
"protocol": "any",
"srcPort": "Any",
"srcCidr": "VLAN(1).*",
"destPort": "Any",
"destCidr": "VLAN(50).*",
"syslogEnabled": false
},
What does the ".*" mean at the end of the srcCidr and the destCidr? I've search all the docs on outbound firewall rules on an MX and it does not mention anything regarding this when using a VLAN as the source/dest.
Thanks in advance,
-Jerome
Solved! Go to solution.
You get this when using templates.
Because templates use a different subnet per site (usually), you can't create a firewall rule based on IP addressing. What the above rule does is say allow anything with an IP address that is assigned to VLAN1 to talk to anything else with an IP address assigned to VLAN50. You can also specify a specific address, such as .50.
Generally the asterisk "*" is a wildcard, that is, it allows anything, in this case I understand that it is including any address.
@alemabrahaoThanks. So does it mean "all traffic that we send over VLAN X, including to other VLANs beyond?"
@alemabrahaoYeah, I'm trying to configure it now and I can't even get the dashboard to accept VLAN# or what's shown in the output I added. Somehow, our customer is able to do this cause there's a lot of MXs in their network with these rules set.
Looks like you can configured this by using the VLAN name not the number. There's options to select either IPv4 or IPv6 or Dual. I'm guess with the default setting as dual, that's the ".*" you get from the API. However, this still doesn't answer my question on what this means:
whether a filter about VLAN X is just using the IP's of stuff in VLAN X, or does it mean "all traffic that we send over VLAN X, including to other VLANs beyond?"
You get this when using templates.
Because templates use a different subnet per site (usually), you can't create a firewall rule based on IP addressing. What the above rule does is say allow anything with an IP address that is assigned to VLAN1 to talk to anything else with an IP address assigned to VLAN50. You can also specify a specific address, such as .50.