cancel
Showing results for 
Search instead for 
Did you mean: 

MX Firewall Basic rules, Inter vlan and rules order

Here to help

MX Firewall Basic rules, Inter vlan and rules order

- Whats the proper order of the rules

- Guest Inter vlan

Guest Vlan = 172.16.78.0/23   (172.16.78-172.16.79)

My network Subnets 192.168.0.0/18 (192.168.0 - 192.168.63)

 

FWRules.PNG

 

 

i can ping 172.16.78.1 from my local network

i can ping 192.168.0.1 from my guest network

 

 

2 REPLIES
A model citizen

Re: MX Firewall Basic rules, Inter vlan and rules order

You'll probably want to change the protocol for rules #9 and #10 to any instead of TCP.

 

I assume on the Addressing and VLAN page you have 172.16.78.1 and 192.168.0.1 set up as the MX IPs? You'll be able to ping those IPs, but if you try to ping another IP in that subnet that would be assigned to a client your L3 rules #9 and #10 should block those.

Conversationalist

Re: MX Firewall Basic rules, Inter vlan and rules order

meraki rules are a little different than the classic "open on top of a deny all" rule set. I usually use the following structure:

 

allow <protocol> <source subnet> <src port> <destination subnet> <dst port>

deny any <source subnet> src port any destination <10.0.0.0/8,172.16.0.0/12,192.168.0.0/16> dest port any

 

be really careful with your default deny rule at the end