Meraki Community

Yes, and also the policies. Thank you ww 🙂

Hi ww,

I wrote that I should also create policies, but if we have the outbound rule with allow any any then we probably dont need to create a specific policy for this? Or should we? Sorry I am new to meraki and thats why I wonder.

Yes, Meraki allows anything by default. 

If you dont want that you can add a deny any any before the allow any.

Hi again,

What about inbound rules, do we need to create these as well, or will the trafic flow somehow inside taking into account that it is coming from the lan port?

The MX is a ‘stateful’ firewall, so any flows that originate from the inside (LAN) will have their return traffic allowed through the firewall automatically.

Hi Bruce,

What happens with the traffic that the other side initiate first? Will that traffic be allowed to pass through the MX taking into account that it is coming through the MX’s LAN port?

No, if traffic is initiated on the outside (WAN) then you need rules to allow that (inbound) traffic. Generally it means you’ll have a server inside your network listening on a specific port - you’ll then use a port forward on the MX and specify the inbound traffic that is allowed.

Yes I am aware about port forwarding if the traffic is coming from the wan interface (internet), but in my case the traffic is initiated on the other firewall and both firewalls are connected through lan interfaces. I need to have access on both sides after creating the link between the firewalls. The network 172.16.10.0/24 and 172.16.20.0/24 should be able to talk to 172.16.30.0/24 and 172.16.40.0/24 and the other way around. That is why I am wondering if we need to create rules to allow the traffic to pass through the MX coming from the other firewall for example 172.16.30.0/24 into 172.16.10.0/24.

If this is just all LAN side traffic there's no NAT happening. And as long as you don't have firewall rules denying traffic it's just simple routing.

Based on that diagram on MX A (left MX) do you have static routes for 172.16.30.0/24 and 172.16.40.0/24 pointing to the next hop 192.168.10.1?

And you'd need the inverse on MX B. Statics for 172.16.20.0/24 & 172.16.20.0/24 pointing to the next hop 192.168.10.2.

Hi rymiles,

Hard to understand this because when working with fortigates for example even between the different networks behind the same fw needs rules to allow or deny traffic in and out these vlans. 

As I understand that you wrote if it is lan connection like MX1-lan1 <——-> lan1-FW2 then we do not need policies to allow incoming traffic!

If this is just LAN to LAN traffic there's no default block rules between VLANs/subnets. Maybe I'm not understanding your diagram.

Basically I have two firewalls with different subnets behind these and I want to connect these two with a link using their lan ports because there are resources that needs to communicate with each other. I found it dificult to understand how meraki mx allows incoming traffic from fw1 on the right side of diagram. So I think I understand now that I need to create static routes and the traffic will be allowed to come in if we don’t have any other outbound rule denying the resources behind the MX to respond to the resources behind the fw1. There is only one rule the default one with allow any any. 

I just came across another article which explained how meraki mx processes the traffic. So Meraki does not block the incoming traffic but it blocks the responses and if I have the default rule allow any any then this will allow the incoming traffic from fw2 to mx1.