Block Internet for 99% of devices

Josh1
Conversationalist

Block Internet for 99% of devices

Have not started this yet but have a very remote office that requires access to a NAS device over a LAN. They require no access to WAN and need to be prevented from access to WAN as to not touch the limited quota. The NAS device does need access to LAN to perform very small (5-10mb) cloud backups at night.

 

Thinking of using an MX64 for the job and ideally have:

  • Group A (NAS only)  -  access to LAN + WAN
  • Group B (All other devices i.e. Printers + Client Computers)  - access to LAN . no access to WAN

How would you go about achieving this on the Meraki unit?

5 REPLIES 5
ww
Kind of a big deal
Kind of a big deal

allow group a(or specific nas ip) to any,

allow the group b to a + b

add deny all at the end.

see also: https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Using_Layer_3_Firewall_Rules

 

Josh1
Conversationalist

Thanks for that 'ww', would you say this achieves that outcome as per your recommendation?

Screen Shot 2017-12-29 at 3.33.40 pm.png

PhilipDAth
Kind of a big deal
Kind of a big deal

As @ww says create L3 firewall rules.  However I would create the default rules that prevent access to the WAN (so by default if something is plugged it the network is secure).

 

Then create a group policy with overrides these firewall rules, and gives access to the WAN.  Then apply this group policy to those clients who you want to have additional access (so additional access is given by exception, not default).

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

Josh1
Conversationalist

Thanks 'PhilipDAth' , is this what you were getting at?

Screen Shot 2017-12-29 at 3.38.22 pm.png

Then this sort of policy with the 'ignore firewall' manually applied to the NAS IP?

Screen Shot 2017-12-29 at 3.37.15 pm.png

PhilipDAth
Kind of a big deal
Kind of a big deal

Rule (2) will do nothing, so you could remove it.  Yes that will do what you were asking.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.