Meraki

lsantiago · ‎Dec 4 2018

- Whats the proper order of the rules

- Guest Inter vlan

Guest Vlan = 172.16.78.0/23 (172.16.78-172.16.79)

My network Subnets 192.168.0.0/18 (192.168.0 - 192.168.63)

i can ping 172.16.78.1 from my local network

i can ping 192.168.0.1 from my guest network

MacuserJim · ‎Dec 4 2018

You'll probably want to change the protocol for rules #9 and #10 to any instead of TCP.

I assume on the Addressing and VLAN page you have 172.16.78.1 and 192.168.0.1 set up as the MX IPs? You'll be able to ping those IPs, but if you try to ping another IP in that subnet that would be assigned to a client your L3 rules #9 and #10 should block those.

View solution in original post

MacuserJim · ‎Dec 4 2018

You'll probably want to change the protocol for rules #9 and #10 to any instead of TCP.

I assume on the Addressing and VLAN page you have 172.16.78.1 and 192.168.0.1 set up as the MX IPs? You'll be able to ping those IPs, but if you try to ping another IP in that subnet that would be assigned to a client your L3 rules #9 and #10 should block those.

hockeydude · ‎Dec 4 2018

meraki rules are a little different than the classic "open on top of a deny all" rule set. I usually use the following structure:

allow <protocol> <source subnet> <src port> <destination subnet> <dst port>

deny any <source subnet> src port any destination <10.0.0.0/8,172.16.0.0/12,192.168.0.0/16> dest port any

be really careful with your default deny rule at the end

Meraki

Community

MX Firewall Basic rules, Inter vlan and rules order

MX Firewall Basic rules, Inter vlan and rules order