Creating a secure DMZ on VLAN

SOLVED
Sam-I-am
Here to help

Creating a secure DMZ on VLAN

Hello Meraki Community, 

 

I have a question that I am fairly certain has a simple answer that I am somehow missing.  We currently have a domain with 2 VLANs.  1 VLAN for workstations and equipment and 1 VLAN for servers.  I have setup a DMZ using a completely different IP Address and subnet to provide users with WiFi access.  This Meraki port for the DMZ connection is connected to a switch that is not connected to either VLAN.  The DMZ Per-Port VLAN Configuration is as follows:

 

Type: Trunk

Native VLAN: DMZ

Allowed VLAN: DMZ

 

The Workstation and Server Per-Port VLAN Configurations are

 

Type: Trunk

Native VLAN: VLAN 1 (Client Network)

Allowed VLAN: All VLANs

 

I have tested the WiFi and found that the Meraki DHCP does indeed provide the DMZ IP Address.  However, when I am connected to the DMZ and select the MX IP Address I am provided with a screen that provides information on the security appliance and the client VLAN.  Is their a way to disable this within the Meraki so that a WiFi user cannot determine the security appliance or see the client VLAN? 

 

Again, I am sure the answer is right in front of me but I have yet to locate it through searching or testing.  

 

Please let me know if you require more information.  

 

 

1 ACCEPTED SOLUTION

Hi @Sam-I-am,

 

Not a problem 🙂  Curious, I would expect you to see that kind of behaviour if you were blocking access to the addresses within the same subnet. 

 

If you have no particular reason to retain access into the local status page, you can disable it altogether from the Network-wide > General page, under Device configuration > Local device status page . 

 

Would that work in your case?

 

Thanks!


Giacomo

 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

View solution in original post

6 REPLIES 6
ww
Kind of a big deal
Kind of a big deal

go to wireless firewall and make a rule on your dmz ssid that blocks *ip of your appliance* and port 443 and 80

Hello WW,

Thank you for the assistance. Do you mean just a layer 3 rule in Firewall? I do not have a Wireless Firewall option. So you know I am using an MX 84.

Hey @Sam-I-am,


I think WW might have been thinking you had a Meraki Wireless solution as well.

 

If you only have the MX84, you can do the same on the Security Appliance > Firewall section and add a Layer 3 rule in there. The IP you would restrict is the IP of the MX within that VLAN (and subnet). 

 

Keep in mind that the MX allows intervlan routing by default, so you'll also need to consider adding another rule blocking traffic between your Guest WiFi subnet and your corporate environment. 

 

Hope this helps!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

Hello @GiacomoS

Thank you for the clarification. My bad. I should have provided more information. I Have attempted to create layer 3 firewall rules denying access to the Meraki appliance IP through port 443, 80, and even All, however, I find that this either cuts off internet access altogether or provides the splash page showing all information (Haven't found the happy medium yet 😕 ).

I have added Layer 3 Firewall rules through both Group Policy for DMZ users as well as general firewall rules. Their must be a way to stop this splash screen from appearing. I am honestly surprised that this information is provided by the security appliance. Either way I will keep banging away at it.

Please let me know if you have any questions.

Thank you

Hi @Sam-I-am,

 

Not a problem 🙂  Curious, I would expect you to see that kind of behaviour if you were blocking access to the addresses within the same subnet. 

 

If you have no particular reason to retain access into the local status page, you can disable it altogether from the Network-wide > General page, under Device configuration > Local device status page . 

 

Would that work in your case?

 

Thanks!


Giacomo

 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

@GiacomoS,

That did it! We had no reason to show that page.

Thank you for taking the time to assist and clarify. It is very much appreciated.

Thank you

Sam-I-am
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels