Hello all! I currently have a GX20 firewall and a GR10 access point that I use at home. I have 3 VLANs set up on my GX20 firewall:
10 - Main
20 - IoT
30 - Work
On the VLAN setup page for each I have toggled on the option to "Secure this network" so the VLANs cannot talk to each other. However, I have a single device (a printer) on VLAN 20 that I would like devices on VLAN 10 and VLAN 30 to be able to communicate with, but I don't want them to be able to communicate with any other devices on VLAN 20. Is this possible with my current Meraki Go gear?
hello @r3f3r1
Yes this is possible.
In my opinion you have to turn "Secure this network" off for all networks you want to communicate with. Then add Level3-firewall-rules for each network.
For VLAN 10 you will have to block access from VLAN 20 and 30, for VLAN 30 block access from VLAN 10 and 20. For the printer on VLAN 20 allow connections from VLAN 10 and VLAN 30 to the IP of the printer. You might want to test the settings by trying to connect to another device on VLAN 20 from VLAN 10 or 30 after you set the rules.
Could be that my opinion is wrong in regards to "Secure this network", so first thing to try is to set the Level3 Firewall rule to allow communication between VLAN 10 and the printer IP on VLAN 20. Same goes for VLAN 30.
If my opinion was correct, you will have to set all rules by hand.
The printer needs to have a reserved or static IP-address.
Cheers
Hi @Xydocq
Thank you for the reply.
I have been able to get a few things working but am still struggling a bit. Here is the full config of my setup and what I am trying to achieve:
VLAN10 - Main
VLAN20 - IoT
VLAN30 - Work
192.168.10.18 - desktop1
192.168.10.46 - desktop2
192.168.20.2 - printer
Would like VLAN 30 to be able to access the printer and the two desktops, but nothing else in those VLANs
Would like VLAN 10 to be able to access the printer.
Here are the rules I have set up. Please correct me if any of these are wrong. I know a little about networking, but I have a lot to learn.
Allow Work to desktop1
allow any
From 192.168.30.0/24 to 192.168.10.18/32
Allow Work to printer
allow any
From 192.168.30.0/24 to 192.168.20.2/32
Allow IoT to desktop2
allow any
192.168.20.0/24 to 192.168.10.46/32
Allow Work to desktop2
allow any
192.168.30.0/24 to 192.168.10.46/32
Allow Main to printer
allow any
192.168.10.0/24 to 192.168.20.2/32
Now these seem to work fine, but where I am having the issue is if I make a Block Work to IoT/Main rule it doesn't work.
deny any
192.168.30.0/24 to 192.168.0.0/16
I've also tried making separate rules and those don't seem to work either. (deny any 192.168.30.0/24 to 192.168.20.0/24 and 192.168.30.0/24 to 192.168.10.0/24). With either of these I can still ping other devices on VLAN10 from VLAN30.
Also, are these rules in top down format like other firewalls or does it matter with Meraki Go? If they are top down format, it would be nice to be able to move the rules where you wanted them as that functionality seems missing so far. I know this is a lot and I very much appreciate you taking a look!
From what I see, you did good. All settings are ok.
But I did some testing with my GX20, it seems none of the firewall-rules are working. Even when I did "Secure this network" on my VLAN 20, I was able to ping and access resources on my VLAN 20 from my VLAN 10. A firewall-rule to block a single IP also failed.
So I guess you'll have to file a support-ticket with Meraki Go support and have them look into it.
@XydocqThank you for taking the time to do your own testing on this. I saw the same behavior so it is good to know it isn't just me.
@r3f3r1 for what it is worth, I just mentioned in a design meeting that it is important we add the ability to move the rules around due to the order being important. Which answers your other question that yes, we do a top down format like other firewalls.
It is important to note that pre-existing flows will be honored despite a firewall rule being installed. A way to demonstrate this is start a continuous ping to a computer in another VLAN, and then create a rule to block ICMP to that particular computer on the GX. The ping will continue to function successfully until the flow is destroyed. Rebooting the GX is a sure-proof way to clear the flow tables and test firewall rules are working as expected. Outside of that, some packet captures on the laptop showing particularly what traffic is making it through may shed some light on what to do next.
@hidden0I very much appreciate you bringing that up in your design meeting. I feel that would be a very important feature to implement or else you would probably end up having to redo a lot of your rules if you implemented some down the road that should be at the top instead of at the bottom.
I thought that might be the case, but didn't try creating the rules and then restarting the GX. I just recreated my additional rules and restarted the GX and now everything seems to be working as it should.
I can ping 192.168.20.2 from both VLAN10 and VLAN30
I can ping 192.168.10.46 from both VLAN20 and VLAN30
I can ping 192.168.10.18 from VLAN30
I cannot ping any other devices on VLAN10 or VLAN20 from VLAN30
I cannot ping any other devices on VLAN10 or VLAN30 from VLAN20
Here are the additional rules I put in place before restarting the GX:
Deny Work to Main
deny any
From 192.168.30.0/24 to 192.168.10.0/24
Deny Work to IoT
deny any
From 192.168.30.0/24 to 192.168.20.0/24
Deny IoT to Main
deny any
From 192.168.20.0/24 to 192.168.10.0/24
Deny IoT to Work
deny any
From 192.168.20.0/24 to 192.168.30.0/24
So I think we are good to go for now and I appreciate the clarification.