Hi alemabrahao, the requirement is to block all traffic between the VLANs, not just ICMP. I'm only using ping to do some basic testing in the rules.

MX is the gateway. I'm going to recreate the rules in my lab MX to see if the result is the same.

I see, in this case I suggest calling Meraki support.

Ugh ? What ?

How is this a flaw ?

I think you are mixing Intra-vlan and Inter-vlan

Nope, I'm sure what I'm talking about. I have already carried out several laboratories and implementations in the past.

Yes, it is a flaw, in many cases communication between clients on the same network segment is not necessary. I repeat again, this is the basics expected of a decent firewall.

Okay if you say so.

I wanted to respond the same. But I think hes saying that ping traffic is blocked  between clients in the same vlan? ( Based on his packet capture) but its not clear if the ICMP response not found is even related  to this.  another thing missing here is if the clients are on different mx ports or 1 port trunked to a switch. I think there was bug at some point using different ports on a specific mx. But using a trunk to a switch and clients on that switch,  traffic should not even traverse the mx.

The clients are on a L2 switch. The switch is trunked to the firewall. I am setting up a lab to replicate the MX environment now and we will see if I see the same result of traffic being blocked where it should not be. It could be a switching issue.

More to come.

In this case I have to agree with @RaphaelL , they are on the same segment L2 will not block anyway. Hey I thought the hosts were directly connected to the MX. In this case, you might be able to solve it with L2 ACL.

Or configure Private VLANs depending on the switch model.

Exactly.  Layer 2 communications ( intra-vlan )  can't be block by the Layer 3 firewall (inter-vlan ) of the MX. 

There ways to achieve that ( client isolation on a switch ? ). 

Client A on vlan 10 on switch 1 port 2 will reach Client B on vlan 10 on switch 1 port 3 without ever reaching the MX.

( I know you know that btw ) 

Thanks GldenJoe, the only issue I see with all this right now is I exported the, VLANs, Subnets, policy objects and the L3 rules and ported them over to a lab MX that I have setup to simulate the environment and all testing passed as expected.

Intra-VLAN traffic were permitted worked as expected.
Inter-VLAN traffic where permitted worked as expected. 
Traffic not specified explicitly to be allowed was not allowed. 
Internet bound traffic worked just fine.

However on the staged equipment where we noticed the issue, test hosts cannot ping each-other within the same VLAN, or in different VLANs that are explicitly permitted.

Changing firmware to the latest patch changed nothing.
Moving the hosts from the switches directly onto the MX changed nothing.

So I built SVIs on Stack 1 and Stack 2 to do ping testing to rule out the hosts themselves perhaps dropping the ping, and they work as expected.

At this point I am thinking this is a problem with some of these particular test laptops, but unsure otherwise.

Same, but without access to them I needed to actually prove that was the issue. Just to update you all, this was related to windows firewall.