Meraki

bayet · ‎Oct 5 2017

Is it possible to block inbound traffic from remote site connected via MPLS link which is connected on the LAN 1 interface of an MX-64 to prevent NAT. The LAN network of the site is connected on LAN 2 interface . The internet interface is for the local internet breakout. As far I can see, the L3 Firewall is for outbound traffic, but I was wondering if it possible to use this same L3 firewall rule in opposite direction to deny traffic sourcing from remote site's.

I'm not able to test this setup yet, as I'm working a configuration to replace other firewalls.

Thanks in advance.

PhilipDAth · ‎Oct 5 2017

I don't clearly understand what you are getting to achieve. Could you give a specific examples with IP addresses.

bayet · ‎Oct 6 2017

bayet · ‎Oct 6 2017

I trying to blocked traffic from entering the Site-A from Site-B, without having to update all the Debian Firewall rules. If I can blocked inbound traffic on the MX LAN interface, then I don't have to update the Debian. We are now replacing those firewalls with Meraki MX's.

bayet · ‎Oct 6 2017

Hi PhilipDAth,
I did my best to explain my question in a drawing with IP addresses. I'm looking forward to see your reaction.

Thanks in advance

PhilipDAth · ‎Oct 6 2017

That is a good diagram! I'm not 100% sure this will work, but I think it will.

You can assign a group policy to a VLAN. So start by creating a group policy (Network Wide/Group Policies), lets call it VLAN10 (you can call it anything you want). Then go "Security Appliance/Addressing and VLANS", click on the VLAN you created, and select the group policy you created.

Then go into your new group policy and for "Firewall and traffic shaping" select "custom" to create layer 3 firewall rules. Then create "deny" rules to block traffic to the other site. Make sure you move the deny rules to the top, as the last rule is a permit.

Meraki

Community

Block Inbound Traffic on MX LAN interface

Block Inbound Traffic on MX LAN interface