Meraki

Quimax · ‎Jul 19 2023

I'm not sure what I'm doing wrong with this. We have a department that is getting their own internet connection, so will have their own MX device (MX64W) with their own VLAN (104) in their location. However, they also need access to the internal servers on VLAN 68 which is on a MS425.

MX64W (.104.1) - LAN3 Trunk port allow 104 - MS425 has VLAN 104 - (.104.2) and VLAN 68 (.68.1)

I can ping from a device on VLAN 104 on the MX64W to the VLAN 68 and webpages hosted on 68 work. I know the routing works.

However...anything blocked in our Layer7 rules (it's a lot! slow internet with lots of users...) is also blocked on this static route. Joining the AD domain and smb file server doesn't work. The event logs on the MX64W tell me it's blocked. If I remove the rule, then things work, but that also allows it from internet as well.

How can I tell the MX64W to treat these static routes as internal LAN, and not firewalled?

Brash · ‎Jul 19 2023

This is correct behaviour - anything that goes across L3 boundaries on the MX (whether over a LAN port or WAN port) will pass through layer 7 firewall rules.

The only way to achieve what you're trying to do is alter your topology to have the L3 gateway on the switches rather than the MX. That way traffic between VLAN's doesn't have L7 firewall rules applied to it.

GreenMan · ‎Jul 20 2023

Or adjust the scope of the firewall rules, so they didn't impact the sources and destinations in question

Quimax · ‎Jul 20 2023

How is this done with Layer 7 rules?

PhilipDAth · ‎Jul 20 2023

If you have an MS425 - do the routing on that. Then it will never hit the MX.

Quimax · ‎Jul 20 2023

The only detail left out is that the MS425 is behind a MX84 and those are on a different campus, separated by a wireless bridge.

Meraki

Community

Disable firewall on static routes?

Disable firewall on static routes?