Layer 7 Countries "not to/from"

ortem4435
Conversationalist

Layer 7 Countries "not to/from"

First post here, so be kind!

 

I have a customer with MX64 with a local las vegas business internet provider (cable). When trying to use a simple (built-in) Layer 7 Countries blocking rule "not to/from" for China, Russia, Indonesia (largest IP pool of mail server attackers so far for them) they lose internet connectivity. They have an advanced license. 

 

This is not without precedent, trying it on my own MX64 for just china, my kids lose their xbox connections at the house, to just name one instance. When i first got my MX64 i dropped every country except Canada, and US into the same Layer 7 firewall rule and my internet was unusable. Anyone out there have some advice on this, the layer 7 country blocking was my favorite feature of the MX series that spurred me to buy it in the first place.

12 Replies 12
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you running a recent firmware like 13.28?

ortem4435
Conversationalist

14.17, been on the beta train for a little while, hoping it would improve things.

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@ortem4435When you say lose internet connectivity, do you lack certain services or everything goes down?

ortem4435
Conversationalist

For the customer premise I mentioned, they called me right away after I set the 3 countries “not to/from” rule in layer 7, and told me that they have no internet access. Normally I would have taken the time to troubleshoot what was and wasn’t working- but this was a production environment that cannot be without internet access. I have multiple servers on the inside of their network with backup remote access “Teamviwer” installations tied to my teamviewer account. When the customer called me, I looked at my teamviewer status and all their connected teamviewer computers showed offline. I immediately removed the rule from the Meraki dashboard and they regained internet access within 30-45 seconds.

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Can you PM me the serial number to this? This sounds very odd and I checked with our support and there isn't anything widespread. We would like to take a closer look to see if there is anything obvious in the logs.

ortem4435
Conversationalist

yes- on the way

mmmmmmark
Building a reputation

If you block Germany, teamviewer will stop working. At least that was my experience from about a year ago.

spock
New here

I had the same problem. Had to add more countries. I can't remember which, but I think it was netherlands. Teamviewer is working for me and I have the following countries: Canada, France, Germany, Ireland, Japan, Netherlands, United Kingdom, United States.

Danny_K
Conversationalist

Same problem. Firmware version 14.40

blocking the following countries with "not to/from"

russia
china
france
hailand
viet nam
indonesia
equador

 

complete internet goes down. cannot ping 1.1.1.1 or 8.8.8.8 office 360 stops working as well.

 

looks like this has been an issue for 2 years now. maybe the not to/from really means anything going in or out only from these countries?

CptnCrnch
Kind of a big deal
Kind of a big deal

Especially as you‘re referring to O365: what is your specific threat model that makes you think Geoblocking is any good nowadays (if I may ask)?

Danny_K
Conversationalist

I'm doing 2 things. Because I'm seeing attacks from those countries, I'm blocking them.

 

2nd item, because we moved our exchange from Azure to on prem, we have a nat that I'm adding the IP addresses microsoft provided,... kind of,. I'm adding the IPv4 addresses. I'm seeing Meraki does not like the IPv6 addresses in the NAT filter.

 

I did the "Traffic to/From" this morning before people came in and it works fine. After going through documentation and posts, I learned the way it works is:

Traffic "not to/From" would be your only allow these countries

Traffic "to/From" would be countries to block

 

The way I had read it at first was don't allow incoming traffic unless it is initiated by outgoing traffic which is wrong.

Siva_J
Comes here often

Hi Danny,

 

Could you please share the documentation URL you have for the below statements

 

I did the "Traffic to/From" this morning before people came in and it works fine. After going through documentation and posts, I learned the way it works is:

Traffic "not to/From" would be your only allow these countries

Traffic "to/From" would be countries to block

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels