Isolation VLAN Firewall Rules

JDavie
Getting noticed

Isolation VLAN Firewall Rules

Hello, I am trying to make a VLAN in which clients can access the internet, but no other clients on the network. I have a VLAN, 192.168.134.0/24 setup with the MX IP being 192.168.134.1.

I then have two firewall rules, one to allow devices to connect to the MX for internet:

Allow  ->  Any Policy  ->  192.168.134.0/24  ->  Any Port  ->  192.168.134.1/32  ->  Any Port

 

And one to block all other traffic

Deny  ->  Any Policy  ->  192.168.134.0/24   ->  Any Port  ->  Any Destination  ->  Any Port

 

The problem is the device still can't connect to the internet. All network traffic is blocked, despite the first rule allowing connection the the MX device. If I remove that 2nd rule, I am able to access the internet, along with the rest of the devices on our network. This is for the wired portion of our network, so NAT mode from an AP is not an option. What am I doing wrong here?

 

I was also experimenting with group polices. I put the firewall rules in the group policy, and assigned the policy to the VLAN, however the group policy was never assigned to any devices in that VLAN. 

8 Replies 8
KarstenI
Kind of a big deal
Kind of a big deal

With this rule you allow access to the MX, but not to the internet. You need:

 

Deny 192.168.134.0/24 with Any Source-Port -> "all your Networks" with Any Destination-Port

Allow 192.168.134.0/24 with Any Source-Port -> Any Destination with Any Destination-Port

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Bruce
Kind of a big deal

@JDavie, I believe you might struggle to achieve what you are try to do if all your clients are in the same 192.168.134.0/24 subnet. The MX can only apply firewall rules to traffic that passes through it at Layer 3, i.e. in your case gets sent to the 192.168.134.1 gateway. If two clients on the same subnet, say 192.168.134.21 and 192.168.134.34, want to communicate then this will not hit the MX Layer 3 gateway and so no rules will be enforced. You will have to put clients in different subnets/VLANs if you want to enforce traffic rules between them.


Incidentally, you can achieve traffic isolation between clients in the same subnet using Access Control Lists (ACLs) on the Meraki switches (MS devices) as the ACLs operate at Layer 2, so within a VLAN, rather than just at the Layer 3 interface.

 

JDavie
Getting noticed

Thanks for bring that to my attention. I was able to use ACL to block clients from talking to each other. However, I have run into the same problem as before where they can not communicate with the internet. 

I have rules to allow the VLAN to connect to the MX device, then block traffic to any other destination.

 

@KarstenI mentioned needing to "Deny all of our networks". Is there a way to do that without doing each individual VLAN? We have over 10 and shift them around. Managing a rule for each would be complicated.

KarstenI
Kind of a big deal
Kind of a big deal


@KarstenI mentioned needing to "Deny all of our networks". Is there a way to do that without doing each individual VLAN? We have over 10 and shift them around. Managing a rule for each would be complicated.


I typically use an object-group "RFC1918" for this purpose. With that, the rule is still correct when new networks are added at a later point.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
JDavie
Getting noticed

Thanks for the suggestion to use object-groups. Those are going to be extremely handy and save a ton of headache! Do you know if they will be coming to the group policy and MR firewall rules, rather than just the MX firewall rules?

However, I still need to block clients from within the subnet from communicating with each other, or block "any" and find a way to allow access to the internet.

I effectively want to recreate NAT or Layer 2 LAN isolation and deny anything to the local LAN at the MS, rather than MR. 

KarstenI
Kind of a big deal
Kind of a big deal

I think I am not the only one who is hoping for policy-objects in other places like MR, NAT and so on ... 

For the LAN isolation, as already mentioned, this has to be done outside of the MX. The MS switches also have a "Port Isolation" feature.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
RomanMD
Building a reputation

Alternatively, if your clients are connected via Meraki MR access points you could use isolation there.

RomanMD_0-1626182084712.png

 

I think what you are trying to achieve, is Adaptive policy, which should be supported by MX'es at a later stage.

C3SGInc
Getting noticed

In case someone else runs into this, here is the best practice on isolating a VLAN.
Creating a DMZ with the MX Security Appliance - Cisco Meraki

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels