MX Firewall Basic rules, Inter vlan and rules order

Solved
lsantiago
Here to help

MX Firewall Basic rules, Inter vlan and rules order

- Whats the proper order of the rules

- Guest Inter vlan

Guest Vlan = 172.16.78.0/23   (172.16.78-172.16.79)

My network Subnets 192.168.0.0/18 (192.168.0 - 192.168.63)

 

FWRules.PNG

 

 

i can ping 172.16.78.1 from my local network

i can ping 192.168.0.1 from my guest network

 

 

1 Accepted Solution
MacuserJim
A model citizen

You'll probably want to change the protocol for rules #9 and #10 to any instead of TCP.

 

I assume on the Addressing and VLAN page you have 172.16.78.1 and 192.168.0.1 set up as the MX IPs? You'll be able to ping those IPs, but if you try to ping another IP in that subnet that would be assigned to a client your L3 rules #9 and #10 should block those.

View solution in original post

2 Replies 2
MacuserJim
A model citizen

You'll probably want to change the protocol for rules #9 and #10 to any instead of TCP.

 

I assume on the Addressing and VLAN page you have 172.16.78.1 and 192.168.0.1 set up as the MX IPs? You'll be able to ping those IPs, but if you try to ping another IP in that subnet that would be assigned to a client your L3 rules #9 and #10 should block those.

hockeydude
Getting noticed

meraki rules are a little different than the classic "open on top of a deny all" rule set. I usually use the following structure:

 

allow <protocol> <source subnet> <src port> <destination subnet> <dst port>

deny any <source subnet> src port any destination <10.0.0.0/8,172.16.0.0/12,192.168.0.0/16> dest port any

 

be really careful with your default deny rule at the end

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels