Deny Local LAN Question

TroyS
Here to help

Deny Local LAN Question

Greetings,

 

I've set up the firewall and traffic shaping for two different SSIDs on my network to "deny any local LAN' .  One is in NAT mode, the other is in bridge mode.

 

I don't have any group policies set up.  I don't have any whitelisting or blocking set up.

 

I've noticed that if someone connects with a laptop that is a member of the domain it seems to override this rule and they have full access to the LAN connecting to either of the SSIDs.  Is that how it's supposed to work?

15 REPLIES 15
BrechtSchamp
Kind of a big deal

Have they disconnected and reconnected to the network since you setup the deny rule?

Yes, I've connected and disconnected multiple times to both SSIDs.

BrechtSchamp
Kind of a big deal

That's strange behavior. I can't think of any mechanism that would do this. Other than the standard group policies, whitelists and blacklists.

It looks like it may be working correctly now.  I need to do a little more testing.  Last night I made the changes and saw the behavior, but this afternoon I don't.

PhilipDAth
Kind of a big deal
Kind of a big deal

They should only be able to access DNS and DHCP and nothing else on the local LAN.

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_... 

"Note: DNS and DHCP traffic is exempt from this rule. If the SSID is in NAT mode, only DNS traffic is exempt since the AP acts as a DHCP server for connecting clients."

This is how I expected it to work, and it did for one device, but not for another.

 

So, now it seems to be even more strange.  It's a Microsoft Surface Pro device.  It is connecting to Wi-Fi.  It doesn't matter which SSID it connects to, it has full access to the LAN.

 

When I search for this device in the dashboard I can't see it being connected to any APs.

 

When I search by name, I find the device and it shows that it's status is an "offline wired client" and it's associated with one of my Meraki switches.

 

How is this even possible?

PhilipDAth
Kind of a big deal
Kind of a big deal

>but not for another

 

If you whitelist the device or apply a group policy which overrides the firewall rules they you could get this happening.

I don't have any whitelists, blocking or group policies in effect.

 

Even then I would think it would still show the device connected to an AP/SSID and not show it being an offline wired device connected straight to a switch.

Yeah, we noticed same problem (wireless clients are recognized as wired clients, like Ipads, Macbook...) on our network... then network policy to wireless clients do not work.

 

Supports don't know either.....

Here are some iPads

2019-11-15 08_35_22-Window.png

Is there a non-meraki switch in between the Meraki AP to the Meraki switch/MX ?
Nolan Herring | nolanwifi.com
TwitterLinkedIn

No, it's all Meraki switches and Meraki APs.

BrechtSchamp
Kind of a big deal

What's actually connected on the port the client is reported to have been connected to last?

It's the port connecting to Access Point

Do you have the"forget client" button in your dashboard? If you do I'd try using that to see if it's some kind of weird caching behavior.

 

sketch-1574232607663.png

 

I don't seem to have that button in my dashboard.  Just the Policy drop down box.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels