Disable firewall on static routes?

Quimax
Getting noticed

Disable firewall on static routes?

I'm not sure what I'm doing wrong with this. We have a department that is getting their own internet connection, so will have their own MX device (MX64W) with their own VLAN (104) in their location. However, they also need access to the internal servers on VLAN 68 which is on a MS425.

 

MX64W (.104.1) - LAN3 Trunk port allow 104 - MS425 has VLAN 104 - (.104.2) and VLAN 68 (.68.1)

 

I can ping from a device on VLAN 104 on the MX64W to the VLAN 68 and webpages hosted on 68 work. I know the routing works.

 

However...anything blocked in our Layer7 rules (it's a lot! slow internet with lots of users...) is also blocked on this static route. Joining the AD domain and smb file server doesn't work. The event logs on the MX64W tell me it's blocked. If I remove the rule, then things work, but that also allows it from internet as well.

 

How can I tell the MX64W to treat these static routes as internal LAN, and not firewalled?

5 Replies 5
Brash
Kind of a big deal
Kind of a big deal

This is correct behaviour - anything that goes across L3 boundaries on the MX (whether over a LAN port or WAN port) will pass through layer 7 firewall rules.

The only way to achieve what you're trying to do is alter your topology to have the L3 gateway on the switches rather than the MX. That way traffic between VLAN's doesn't have L7 firewall rules applied to it.

GreenMan
Meraki Employee
Meraki Employee

Or adjust the scope of the firewall rules, so they didn't impact the sources and destinations in question

Quimax
Getting noticed

How is this done with Layer 7 rules?

PhilipDAth
Kind of a big deal
Kind of a big deal

If you have an MS425 - do the routing on that.  Then it will never hit the MX.

Quimax
Getting noticed

The only detail left out is that the MS425 is behind a MX84 and those are on a different campus, separated by a wireless bridge.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels