Meraki

Community

Layer 7 Countries "not to/from"

ortem4435
Conversationalist
‎Jan 11 2018 3:41 PM
‎Jan 11 2018 3:41 PM

Layer 7 Countries "not to/from"

First post here, so be kind!

 

I have a customer with MX64 with a local las vegas business internet provider (cable). When trying to use a simple (built-in) Layer 7 Countries blocking rule "not to/from" for China, Russia, Indonesia (largest IP pool of mail server attackers so far for them) they lose internet connectivity. They have an advanced license. 

 

This is not without precedent, trying it on my own MX64 for just china, my kids lose their xbox connections at the house, to just name one instance. When i first got my MX64 i dropped every country except Canada, and US into the same Layer 7 firewall rule and my internet was unusable. Anyone out there have some advice on this, the layer 7 country blocking was my favorite feature of the MX series that spurred me to buy it in the first place.

12 Replies 12
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 11 2018 3:47 PM
‎Jan 11 2018 3:47 PM

Are you running a recent firmware like 13.28?

0 Kudos
In response to PhilipDAth
ortem4435
Conversationalist
‎Jan 11 2018 3:50 PM
‎Jan 11 2018 3:50 PM

14.17, been on the beta train for a little while, hoping it would improve things.

0 Kudos
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Jan 12 2018 9:05 AM
‎Jan 12 2018 9:05 AM

@ortem4435When you say lose internet connectivity, do you lack certain services or everything goes down?

0 Kudos
In response to DCooper
ortem4435
Conversationalist
‎Jan 12 2018 10:31 AM
‎Jan 12 2018 10:31 AM

For the customer premise I mentioned, they called me right away after I set the 3 countries “not to/from” rule in layer 7, and told me that they have no internet access. Normally I would have taken the time to troubleshoot what was and wasn’t working- but this was a production environment that cannot be without internet access. I have multiple servers on the inside of their network with backup remote access “Teamviwer” installations tied to my teamviewer account. When the customer called me, I looked at my teamviewer status and all their connected teamviewer computers showed offline. I immediately removed the rule from the Meraki dashboard and they regained internet access within 30-45 seconds.

0 Kudos
In response to ortem4435
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Jan 12 2018 10:46 AM
‎Jan 12 2018 10:46 AM

Can you PM me the serial number to this? This sounds very odd and I checked with our support and there isn't anything widespread. We would like to take a closer look to see if there is anything obvious in the logs.

0 Kudos
In response to DCooper
ortem4435
Conversationalist
‎Jan 12 2018 11:00 AM
‎Jan 12 2018 11:00 AM

yes- on the way

0 Kudos
In response to ortem4435
mmmmmmark
Building a reputation
‎Jan 18 2018 9:44 AM
‎Jan 18 2018 9:44 AM

If you block Germany, teamviewer will stop working. At least that was my experience from about a year ago.

spock
New here
‎Jan 18 2018 9:28 AM
‎Jan 18 2018 9:28 AM

I had the same problem. Had to add more countries. I can't remember which, but I think it was netherlands. Teamviewer is working for me and I have the following countries: Canada, France, Germany, Ireland, Japan, Netherlands, United Kingdom, United States.

0 Kudos
Danny_K
Conversationalist
‎Jul 14 2020 8:26 AM
‎Jul 14 2020 8:26 AM

Same problem. Firmware version 14.40

blocking the following countries with "not to/from"

russia
china
france
hailand
viet nam
indonesia
equador

 

complete internet goes down. cannot ping 1.1.1.1 or 8.8.8.8 office 360 stops working as well.

 

looks like this has been an issue for 2 years now. maybe the not to/from really means anything going in or out only from these countries?

0 Kudos
In response to Danny_K
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jul 15 2020 5:24 AM
‎Jul 15 2020 5:24 AM

Especially as you‘re referring to O365: what is your specific threat model that makes you think Geoblocking is any good nowadays (if I may ask)?

0 Kudos
In response to CptnCrnch
Danny_K
Conversationalist
‎Jul 15 2020 6:36 AM
‎Jul 15 2020 6:36 AM

I'm doing 2 things. Because I'm seeing attacks from those countries, I'm blocking them.

 

2nd item, because we moved our exchange from Azure to on prem, we have a nat that I'm adding the IP addresses microsoft provided,... kind of,. I'm adding the IPv4 addresses. I'm seeing Meraki does not like the IPv6 addresses in the NAT filter.

 

I did the "Traffic to/From" this morning before people came in and it works fine. After going through documentation and posts, I learned the way it works is:

Traffic "not to/From" would be your only allow these countries

Traffic "to/From" would be countries to block

 

The way I had read it at first was don't allow incoming traffic unless it is initiated by outgoing traffic which is wrong.

In response to Danny_K
Siva_J
Comes here often
‎Dec 29 2020 11:09 PM
‎Dec 29 2020 11:09 PM

Hi Danny,

 

Could you please share the documentation URL you have for the below statements

 

I did the "Traffic to/From" this morning before people came in and it works fine. After going through documentation and posts, I learned the way it works is:

Traffic "not to/From" would be your only allow these countries

Traffic "to/From" would be countries to block

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.