VLAN communicaton setup

r3f3r1
Here to help

VLAN communicaton setup

Hello all! I currently have a GX20 firewall and a GR10 access point that I use at home. I have 3 VLANs set up on my GX20 firewall:

 

10 - Main

20 - IoT

30 - Work

 

On the VLAN setup page for each I have toggled on the option to "Secure this network" so the VLANs  cannot talk to each other. However, I have a single device (a printer) on VLAN 20 that I would like devices on VLAN 10 and VLAN 30 to be able to communicate with, but I don't want them to be able to communicate with any other devices on VLAN 20. Is this possible with my current Meraki Go gear?

6 Replies 6
Xydocq
A model citizen

hello @r3f3r1 

 

Yes this is possible.

 

In my opinion you have to turn "Secure this network" off for all networks you want to communicate with.  Then add Level3-firewall-rules for each network.

Settings.png

For VLAN 10 you will have to block access from VLAN 20 and 30, for VLAN 30 block access from VLAN 10 and 20. For the printer on VLAN 20 allow connections from VLAN 10 and VLAN 30 to the IP of the printer. You might want to test the settings by trying to connect to another device on VLAN 20 from VLAN 10 or 30 after you set the rules.

 

Could be that my opinion is wrong in regards to "Secure this network", so first thing to try is to set the Level3 Firewall rule to allow communication between VLAN 10 and the printer IP on VLAN 20. Same goes for VLAN 30.

 

If my opinion was correct, you will have to set all rules by hand.

 

The printer needs to have a reserved or static IP-address.

 

Cheers 

 

r3f3r1
Here to help

Hi @Xydocq 

 

Thank you for the reply.

 

I have been able to get a few things working but am still struggling a bit. Here is the full config of my setup and what I am trying to achieve:

 

VLAN10 - Main

VLAN20 - IoT

VLAN30 - Work

192.168.10.18 - desktop1

192.168.10.46 - desktop2

192.168.20.2 - printer

 

Would like VLAN 30 to be able to access the printer and the two desktops, but nothing else in those VLANs

Would like VLAN 10 to be able to access the printer.

 

Here are the rules I have set up. Please correct me if any of these are wrong. I know a little about networking, but I have a lot to learn.

 

Allow Work to desktop1

allow any

From 192.168.30.0/24 to 192.168.10.18/32

 

Allow Work to printer

allow any

From 192.168.30.0/24 to 192.168.20.2/32

 

Allow IoT to desktop2

allow any

192.168.20.0/24 to 192.168.10.46/32

 

Allow Work to desktop2

allow any

192.168.30.0/24 to 192.168.10.46/32

 

Allow Main to printer

allow any

192.168.10.0/24 to 192.168.20.2/32

 

Now these seem to work fine, but where I am having the issue is if I make a Block Work to IoT/Main rule it doesn't work.

deny any

192.168.30.0/24 to 192.168.0.0/16

I've also tried making separate rules and those don't seem to work either. (deny any 192.168.30.0/24 to 192.168.20.0/24 and 192.168.30.0/24 to 192.168.10.0/24). With either of these I can still ping other devices on VLAN10 from VLAN30.

 

Also, are these rules in top down format like other firewalls or does it matter with Meraki Go? If they are top down format, it would be nice to be able to move the rules where you wanted them as that functionality seems missing so far. I know this is a lot and I very much appreciate you taking a look!

Xydocq
A model citizen

From what I see, you did good. All settings are ok.

 

But I did some testing with my GX20, it seems none of the firewall-rules are working. Even when I did "Secure this network" on my VLAN 20, I was able to ping and access resources on my VLAN 20 from my VLAN 10. A firewall-rule to block a single IP also failed.

 

firewall test fail.png

 

So I guess you'll have to file a support-ticket with Meraki Go support and have them look into it.

r3f3r1
Here to help

@XydocqThank you for taking the time to do your own testing on this. I saw the same behavior so it is good to know it isn't just me.

hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@r3f3r1 for what it is worth, I just mentioned in a design meeting that it is important we add the ability to move the rules around due to the order being important. Which answers your other question that yes, we do a top down format like other firewalls.

 

It is important to note that pre-existing flows will be honored despite a firewall rule being installed. A way to demonstrate this is start a continuous ping to a computer in another VLAN, and then create a rule to block ICMP to that particular computer on the GX. The ping will continue to function successfully until the flow is destroyed. Rebooting the GX is a sure-proof way to clear the flow tables and test firewall rules are working as expected. Outside of that, some packet captures on the laptop showing particularly what traffic is making it through may shed some light on what to do next.

r3f3r1
Here to help

@hidden0I very much appreciate you bringing that up in your design meeting. I feel that would be a very important feature to implement or else you would probably end up having to redo a lot of your rules if you implemented some down the road that should be at the top instead of at the bottom.

 

I thought that might be the case, but didn't try creating the rules and then restarting the GX. I just recreated my additional rules and restarted the GX and now everything seems to be working as it should.

 

I can ping 192.168.20.2 from both VLAN10 and VLAN30

I can ping 192.168.10.46 from both VLAN20 and VLAN30

I can ping 192.168.10.18 from VLAN30

I cannot ping any other devices on VLAN10 or VLAN20 from VLAN30

I cannot ping any other devices on VLAN10 or VLAN30 from VLAN20

 

Here are the additional rules I put in place before restarting the GX:

 

Deny Work to Main

deny any

From 192.168.30.0/24 to 192.168.10.0/24

 

Deny Work to IoT

deny any

From 192.168.30.0/24 to 192.168.20.0/24

 

Deny IoT to Main

deny any

From 192.168.20.0/24 to 192.168.10.0/24

 

Deny IoT to Work

deny any

From 192.168.20.0/24 to 192.168.30.0/24

 

So I think we are good to go for now and I appreciate the clarification.

Get notified when there are additional replies to this discussion.