cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Layer 7 Countries "not to/from"

Highlighted
Conversationalist

Layer 7 Countries "not to/from"

First post here, so be kind!

 

I have a customer with MX64 with a local las vegas business internet provider (cable). When trying to use a simple (built-in) Layer 7 Countries blocking rule "not to/from" for China, Russia, Indonesia (largest IP pool of mail server attackers so far for them) they lose internet connectivity. They have an advanced license. 

 

This is not without precedent, trying it on my own MX64 for just china, my kids lose their xbox connections at the house, to just name one instance. When i first got my MX64 i dropped every country except Canada, and US into the same Layer 7 firewall rule and my internet was unusable. Anyone out there have some advice on this, the layer 7 country blocking was my favorite feature of the MX series that spurred me to buy it in the first place.

11 REPLIES 11
Highlighted
Kind of a big deal

Re: Layer 7 Countries "not to/from"

Are you running a recent firmware like 13.28?

Highlighted
Conversationalist

Re: Layer 7 Countries "not to/from"

14.17, been on the beta train for a little while, hoping it would improve things.

Highlighted
Meraki Alumni (Retired)

Re: Layer 7 Countries "not to/from"

@ortem4435When you say lose internet connectivity, do you lack certain services or everything goes down?

Highlighted
Conversationalist

Re: Layer 7 Countries "not to/from"

For the customer premise I mentioned, they called me right away after I set the 3 countries “not to/from” rule in layer 7, and told me that they have no internet access. Normally I would have taken the time to troubleshoot what was and wasn’t working- but this was a production environment that cannot be without internet access. I have multiple servers on the inside of their network with backup remote access “Teamviwer” installations tied to my teamviewer account. When the customer called me, I looked at my teamviewer status and all their connected teamviewer computers showed offline. I immediately removed the rule from the Meraki dashboard and they regained internet access within 30-45 seconds.

Highlighted
Meraki Alumni (Retired)

Re: Layer 7 Countries "not to/from"

Can you PM me the serial number to this? This sounds very odd and I checked with our support and there isn't anything widespread. We would like to take a closer look to see if there is anything obvious in the logs.

Highlighted
Conversationalist

Re: Layer 7 Countries "not to/from"

yes- on the way

Highlighted
New here

Re: Layer 7 Countries "not to/from"

I had the same problem. Had to add more countries. I can't remember which, but I think it was netherlands. Teamviewer is working for me and I have the following countries: Canada, France, Germany, Ireland, Japan, Netherlands, United Kingdom, United States.

Highlighted
Building a reputation

Re: Layer 7 Countries "not to/from"

If you block Germany, teamviewer will stop working. At least that was my experience from about a year ago.

Highlighted
Conversationalist

Re: Layer 7 Countries "not to/from"

Same problem. Firmware version 14.40

blocking the following countries with "not to/from"

russia
china
france
hailand
viet nam
indonesia
equador

 

complete internet goes down. cannot ping 1.1.1.1 or 8.8.8.8 office 360 stops working as well.

 

looks like this has been an issue for 2 years now. maybe the not to/from really means anything going in or out only from these countries?

Highlighted
Kind of a big deal

Re: Layer 7 Countries "not to/from"

Especially as you‘re referring to O365: what is your specific threat model that makes you think Geoblocking is any good nowadays (if I may ask)?

Highlighted
Conversationalist

Re: Layer 7 Countries "not to/from"

I'm doing 2 things. Because I'm seeing attacks from those countries, I'm blocking them.

 

2nd item, because we moved our exchange from Azure to on prem, we have a nat that I'm adding the IP addresses microsoft provided,... kind of,. I'm adding the IPv4 addresses. I'm seeing Meraki does not like the IPv6 addresses in the NAT filter.

 

I did the "Traffic to/From" this morning before people came in and it works fine. After going through documentation and posts, I learned the way it works is:

Traffic "not to/From" would be your only allow these countries

Traffic "to/From" would be countries to block

 

The way I had read it at first was don't allow incoming traffic unless it is initiated by outgoing traffic which is wrong.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.