Meraki Community

vlan 1 10.0.0.0 /24 Policy Name: Group A

vlan 2 10.0.1.0 /24 Policy Name: Group B

vlan 3 10.0.2.0 /24 Policy Name: Group C

Group A policy has: (all the others are similar as mentioned above)

under custom network firewall & shaping policy rules enabled.

# Policy   Protocol       Dest                Port

1 deny       ANY        10.0.1.0/24        ANY

2 deny       ANY        10.0.2.0/24        ANY

3 Allow      Any           Any                  Any

I think I would use a safer rule, and have a single "deny" rule blocking access to 10.0.0.0/8 (aka, block access to anything beginning with 10).

If the group policy has only just been applied to the VLAN its possible existing cached flows might still exist, and they will use the cached rules until they expire.  Usually waiting 10 minutes is long enough, but rebooting the MX guarantees there is no cached rules.

its been applied for at least a day.

I have also tried, rebooting, and forcing the devices whether cabled or using wifi to reconnect and renew IP addresses.

Also running the latest software.

when i look at the clients at policies

to verify this. i selected all clients, then selected policy -> normal and applied to all clients.

Did a ping, still could reach other subnets.

Further to this behaviour.

If a wireless client connects via the AP, the Group policy seems to work.

If a wired client is connected via the MS switch between the MR and MX in the same vlan it can ping and connectivity is as if the policy did not exist.

>If a wired client is connected via the MS switch between the MR and MX in the same vlan it can ping 

An MX group policy applied to a VLAN acts on traffic entering the MX going to another interface.  It does not act on traffic between two hosts in the same VLAN (indeed it can not - as the traffic never gets seen by the MX).

That may have come out wrong.

I meant if a wired client and a wireless client in the same vlan try to ping host on other vlan, different results.

Are you sure you have the group policy applied to the VLAN interfaces in the MX?

yep 100% sure.

update have a TAC case open, and they have confirmed, configuration is good.

Packet captures uploaded.

Update:

1 Bug

Added Layer 3 Firewall rules not showing hits on specified rules. The only hits seen are on the default rule of any any.

1 Bug

objects cant be added to groups, error saying unknown object

1 expected behaviour (albeit not good):

The MX series allows connectivity from hosts on all vlan's to configured default gateways for all vlan's regardless of firewall rules / policies.

Requested their be override for this as security issue. This includes ping and http requests (from my testing)

You can disable access to the local status page under "Network Wide > General".

Firewall objects are in beta and this is a known limitation.  As it gets closer to production release these kinds of things will get added.

I've never had much luck with the hit counters.  They seem to work sometimes.  I don't rely on using them.  I use packet captures.