Meraki

Community

L3 Firewall: How to specify outboud

Solved
Johnny55
Here to help
‎Jul 25 2022 10:06 AM
‎Jul 25 2022 10:06 AM

L3 Firewall: How to specify outboud

Hello fellows

 

This is regarding the L3 firewall on group policy (on MX).

 

I want to isolate a client, only allow it to communicate to it's own subnet and to the WAN.

-> From / to 192.168.1.0/24 and from / to WAN

 

The thing is, I have many subnets / vlans, so although having a deny rule to each subnet would work fine, I find it cumbersome and would prefer to avoid.

So my idea is to:
- Allow 192.168.1.0/24 (all ports / proto)
- Block Any (all ports / proto)

But I think that would also block the client from accessing the WAN.

So my quesiton is: What destination sould I specify to allow traffic to the WAN?

I already tried to use the public IP and the gateway, to no avail...

maybe I did something wrong here? ... like not using the correct mask... you tell me

Many thanks!

0 Kudos
1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 25 2022 10:10 AM
‎Jul 25 2022 10:10 AM

Hi ,

 

Simply do : 

 

Deny 192.168.1.0/24 RFC1918 ( 10.0.0.0/8 , 192.168.0.0/16 , 172.16.0.0/12 ) Any

Permit 192.168.1.0/24 Any Any 

 

This will block anything from 192.168.1.0/24 towards rfc1918 , except it's own vlan and will allow the flows towards the internet.

View solution in original post

4 Replies 4
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 25 2022 10:10 AM
‎Jul 25 2022 10:10 AM

Hi ,

 

Simply do : 

 

Deny 192.168.1.0/24 RFC1918 ( 10.0.0.0/8 , 192.168.0.0/16 , 172.16.0.0/12 ) Any

Permit 192.168.1.0/24 Any Any 

 

This will block anything from 192.168.1.0/24 towards rfc1918 , except it's own vlan and will allow the flows towards the internet.

In response to RaphaelL
Johnny55
Here to help
‎Jul 25 2022 11:43 AM
‎Jul 25 2022 11:43 AM

Hi @RaphaelL 

That's some good info, thank you.
But are you sure that it applies to Group Policies?

This is how I would do it based on your reply:

Screen Shot 2022-07-25 at 2.46.03 PM.png

0 Kudos
In response to Johnny55
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 25 2022 11:57 AM
‎Jul 25 2022 11:57 AM

Yes that would be the way to do it ! 

 

Somehow I missed the part about the Group Policy in your post.

0 Kudos
In response to RaphaelL
Johnny55
Here to help
‎Jul 25 2022 12:28 PM
‎Jul 25 2022 12:28 PM

Thanks for your help @RaphaelL !

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.