Hello Meraki Community,
I have a question that I am fairly certain has a simple answer that I am somehow missing. We currently have a domain with 2 VLANs. 1 VLAN for workstations and equipment and 1 VLAN for servers. I have setup a DMZ using a completely different IP Address and subnet to provide users with WiFi access. This Meraki port for the DMZ connection is connected to a switch that is not connected to either VLAN. The DMZ Per-Port VLAN Configuration is as follows:
Type: Trunk
Native VLAN: DMZ
Allowed VLAN: DMZ
The Workstation and Server Per-Port VLAN Configurations are:
Type: Trunk
Native VLAN: VLAN 1 (Client Network)
Allowed VLAN: All VLANs
I have tested the WiFi and found that the Meraki DHCP does indeed provide the DMZ IP Address. However, when I am connected to the DMZ and select the MX IP Address I am provided with a screen that provides information on the security appliance and the client VLAN. Is their a way to disable this within the Meraki so that a WiFi user cannot determine the security appliance or see the client VLAN?
Again, I am sure the answer is right in front of me but I have yet to locate it through searching or testing.
Please let me know if you require more information.
Solved! Go to solution.
Hi @Sam-I-am,
Not a problem 🙂 Curious, I would expect you to see that kind of behaviour if you were blocking access to the addresses within the same subnet.
If you have no particular reason to retain access into the local status page, you can disable it altogether from the Network-wide > General page, under Device configuration > Local device status page .
Would that work in your case?
Thanks!
Giacomo
go to wireless firewall and make a rule on your dmz ssid that blocks *ip of your appliance* and port 443 and 80
Hey @Sam-I-am,
I think WW might have been thinking you had a Meraki Wireless solution as well.
If you only have the MX84, you can do the same on the Security Appliance > Firewall section and add a Layer 3 rule in there. The IP you would restrict is the IP of the MX within that VLAN (and subnet).
Keep in mind that the MX allows intervlan routing by default, so you'll also need to consider adding another rule blocking traffic between your Guest WiFi subnet and your corporate environment.
Hope this helps!
Giacomo
Hi @Sam-I-am,
Not a problem 🙂 Curious, I would expect you to see that kind of behaviour if you were blocking access to the addresses within the same subnet.
If you have no particular reason to retain access into the local status page, you can disable it altogether from the Network-wide > General page, under Device configuration > Local device status page .
Would that work in your case?
Thanks!
Giacomo