Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

L3 Firewall: How to specify outboud

Solved
Johnny55
Here to help
‎Jul 25 2022 10:06 AM
‎Jul 25 2022 10:06 AM

L3 Firewall: How to specify outboud

Hello fellows

 

This is regarding the L3 firewall on group policy (on MX).

 

I want to isolate a client, only allow it to communicate to it's own subnet and to the WAN.

-> From / to 192.168.1.0/24 and from / to WAN

 

The thing is, I have many subnets / vlans, so although having a deny rule to each subnet would work fine, I find it cumbersome and would prefer to avoid.

So my idea is to:
- Allow 192.168.1.0/24 (all ports / proto)
- Block Any (all ports / proto)

But I think that would also block the client from accessing the WAN.

So my quesiton is: What destination sould I specify to allow traffic to the WAN?

I already tried to use the public IP and the gateway, to no avail...

maybe I did something wrong here? ... like not using the correct mask... you tell me

Many thanks!

0 Kudos
Subscribe
1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 25 2022 10:10 AM
‎Jul 25 2022 10:10 AM

Hi ,

 

Simply do : 

 

Deny 192.168.1.0/24 RFC1918 ( 10.0.0.0/8 , 192.168.0.0/16 , 172.16.0.0/12 ) Any

Permit 192.168.1.0/24 Any Any 

 

This will block anything from 192.168.1.0/24 towards rfc1918 , except it's own vlan and will allow the flows towards the internet.

View solution in original post

Subscribe
4 Replies 4
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 25 2022 10:10 AM
‎Jul 25 2022 10:10 AM

Hi ,

 

Simply do : 

 

Deny 192.168.1.0/24 RFC1918 ( 10.0.0.0/8 , 192.168.0.0/16 , 172.16.0.0/12 ) Any

Permit 192.168.1.0/24 Any Any 

 

This will block anything from 192.168.1.0/24 towards rfc1918 , except it's own vlan and will allow the flows towards the internet.

Subscribe
In response to RaphaelL
Johnny55
Here to help
‎Jul 25 2022 11:43 AM
‎Jul 25 2022 11:43 AM

Hi @RaphaelL 

That's some good info, thank you.
But are you sure that it applies to Group Policies?

This is how I would do it based on your reply:

Screen Shot 2022-07-25 at 2.46.03 PM.png

0 Kudos
Subscribe
In response to Johnny55
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 25 2022 11:57 AM
‎Jul 25 2022 11:57 AM

Yes that would be the way to do it ! 

 

Somehow I missed the part about the Group Policy in your post.

0 Kudos
Subscribe
In response to RaphaelL
Johnny55
Here to help
‎Jul 25 2022 12:28 PM
‎Jul 25 2022 12:28 PM

Thanks for your help @RaphaelL !

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.