I have an MX84 configured with 3 VLANs each of which are assigned a /24 subnet from the 172.16.0.0/12 block. The networks are designated inside, DMZ, and guest.
I'm trying to understand the firewall / security interaction when I mark the DMZ network as "On-VPN". In particular I have firewall rules:
1: allow tcp (DMZ host) any (VPN-Connected host) any
...
8: deny Any (DMZ subnet) Any Any Any
The goal is to deny everything from the DMZ network by default (rule 8 above) what's killing me is that my default deny rule doesn't seem to apply to networks that are part of our VPN connected mesh.
I can't ping the inside network from (DMZ host), I can't ping the guest network from (DMZ host), but I can ping any IP address on a subnet connected to the MX84 via the Meraki cloud.
So is there an implied "permit" rule hidden somewhere that is overriding my L3 rules on the MX84 because the destination is part of our VPN mesh? If so how can I prevent (DMZ host) from accessing everything connected to our VPN mesh? We have about 40 subnets advertised this way and I only want to permit my DMZ network to access specific hosts on specific endpoints.