L3 Firewall not allowing traffic

Solved
Johnny55
Here to help

L3 Firewall not allowing traffic

Hi folks

I have two rules:

 

Screen Shot 2022-07-13 at 4.07.19 PM.png

 

The second one DENY all traffic from subnet192.168.30.0 to subnet 192.168.10.0,
and the first one ALLOW from host 192.168.30.31 to server 192.168.10.147:51414/TCP.

 

Right now, the ALLOW rule has no effect, I do have some very clear logs showing me that 51414/TCP packets are blocked because of the DENY rule:
<134>1 1657686991.844793491 Meraki_MX100 flows src=192.168.30.31 dst=192.168.10.147 mac=00:50:56:BF:60:F3 protocol=tcp sport=36336 dport=51514 pattern: deny (dst 192.168.10.0/24) && (src 192.168.30.0/24)

 

Also, each subnet is on it's own vlan and I am not using any Group Policy on the vlans or the clients...



Please, tell me what I'm missing here...

Thanks!

EDIT: Following Ryan_Miles's comment, I replaced the screen capture.

1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal

Should be an easy fix ! 

 

Syslog shows : dport=51514 but the rule states 51414... 

View solution in original post

7 Replies 7
Johnny55
Here to help

I forgot to mention that if I remove the DENY rule, everything works as expected. Packets flowsssss to their destination...

Ryan_Miles
Meraki Employee
Meraki Employee

Looks like you should be using /32 masks on the allow rule. Not /24. If you fix that is there any change?

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Johnny55
Here to help

Thanks @Ryan_Miles 

Yes I did a dumb mistake here...( ^_^)By dint of making changes I made that mistake... I was previously using /32 masks. So, I edited the allow rule, waited about 10 minutes, tested again and the firewall still blocks the packets.

(I have updated my post with a new screen capture and an edit comment.)

Crocker
A model citizen

Just for grins, I'd bounce the MX and then re-test. Then post the syslogs if it continues to block.

Johnny55
Here to help

You mean reboot the unit @Crocker ?

Crocker
A model citizen

Yeah

RaphaelL
Kind of a big deal
Kind of a big deal

Should be an easy fix ! 

 

Syslog shows : dport=51514 but the rule states 51414... 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels