Have not started this yet but have a very remote office that requires access to a NAS device over a LAN. They require no access to WAN and need to be prevented from access to WAN as to not touch the limited quota. The NAS device does need access to LAN to perform very small (5-10mb) cloud backups at night.
Thinking of using an MX64 for the job and ideally have:
How would you go about achieving this on the Meraki unit?
allow group a(or specific nas ip) to any,
allow the group b to a + b
add deny all at the end.
see also: https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Using_Layer_3_Firewall_Rules
Thanks for that 'ww', would you say this achieves that outcome as per your recommendation?
As @ww says create L3 firewall rules. However I would create the default rules that prevent access to the WAN (so by default if something is plugged it the network is secure).
Then create a group policy with overrides these firewall rules, and gives access to the WAN. Then apply this group policy to those clients who you want to have additional access (so additional access is given by exception, not default).
Thanks 'PhilipDAth' , is this what you were getting at?
Then this sort of policy with the 'ignore firewall' manually applied to the NAS IP?
Rule (2) will do nothing, so you could remove it. Yes that will do what you were asking.