Meraki

Community

MX Firewall rule issue

Adrian4
Head in the Cloud
‎Mar 12 2024 8:19 AM
‎Mar 12 2024 8:19 AM

MX Firewall rule issue

Hi,

I have been working on our rule list recently and an error I get fairly often when trying to create a rule is...

"(IP address) does not apply to any configured local or VPN subnets in the source field".


I don't care if its not a locally configured IP range, I want to create that rule....why is it stopping me doing this? 

thanks,

Labels:
0 Kudos
11 Replies 11
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 12 2024 8:25 AM
‎Mar 12 2024 8:25 AM

Hi ,


What are you trying to achieve ?  The L3 firewall outbound rules will only block or allow traffic "sourced" and routed by the MX.

 

 On the MX, outbound traffic refers to traffic originating from one VLAN that is destined for another VLAN or traffic originating from the LAN that is destined for the Internet or a remote network that is located over a static LAN route.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

 

 

In response to RaphaelL
Adrian4
Head in the Cloud
‎Mar 12 2024 8:35 AM
‎Mar 12 2024 8:35 AM

For example, we have over 60 networks in a WAN and I am trying to standardize as many of the firewall rules as possible.
They all have the same VLAN that needs to be isolated. Cant talk to other deices, other devices cant talk to it (it just allows internet access).

We have firewall rules to stop traffic to and from that VLAN to any private IP.
Some sites use different private address ranges than others - so to make things easy, I have a group that contains all the private ranges - 192.168 / 172.16 / 10.0.

The idea being that we can have the exact same rule applied to every network to do the same job - but Meraki says no because one or more of those ranges may not be configured on the Meraki.

Also, what about subnets configured on non-meraki hardware?

Also, - why does it matter? If I create a rule that doesn't do anything because the source never applies to anything....so what? If I want to configure that rule for whatever reason I should be able to.

Does this restriction somehow help stop accidental, catastrophic mistakes?

0 Kudos
In response to Adrian4
ww
Kind of a big deal
Kind of a big deal
‎Mar 12 2024 8:39 AM
‎Mar 12 2024 8:39 AM

Other option could be to use a group policy and attach it to the vlan interface

0 Kudos
In response to ww
Adrian4
Head in the Cloud
‎Mar 12 2024 9:19 AM
‎Mar 12 2024 9:19 AM

thanks for the reply,

but....I would rather address the issue directly than find a work around.

Also, trying to keep things as simple as possible as we have so many networks and staff scattered around the world, not to mention the possibility of new team members joining in the future - don't really want people to have to scratch their head and dig all over the place to try and find where something might be getting blocked.

0 Kudos
In response to Adrian4
ww
Kind of a big deal
Kind of a big deal
‎Mar 12 2024 9:28 AM
‎Mar 12 2024 9:28 AM

The only option is to use a source for that vlan that falls within a supernet. And use the supernet as source in the firewall rule

0 Kudos
In response to ww
Adrian4
Head in the Cloud
‎Mar 12 2024 9:44 AM
‎Mar 12 2024 9:44 AM

sorry, dont quite understand.

If im creating a rule to block all traffic FROM all private address ranges, TO vlan subnet - how does that work?

0 Kudos
In response to Adrian4
ww
Kind of a big deal
Kind of a big deal
‎Mar 12 2024 10:02 AM
‎Mar 12 2024 10:02 AM

It doesnt .

 

Maybe it works if you create 3 small dummy vlan/subnet in the rfc1918 subnet on all locations.  

 

I dont know  why meraki doesnt allow it, but afaik it has always been this way

0 Kudos
In response to Adrian4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 12 2024 1:15 PM
‎Mar 12 2024 1:15 PM

I'm struggling to find the documentation, and you don't say if you are using templates, but you can reference VLANs directly instead of by IP address.

 

Some info here:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Network_Objects_Configuration_Guide... 

 

Because I can't find the docs, I've done some screen shots for you.  See how in the "help" section it says "VLAN"?  You can just type in the VLAN name.

PhilipDAth_0-1710274493537.png

For example, I created a VLAN called "Test" and applied this rule to it:

PhilipDAth_1-1710274539951.png

 

0 Kudos
In response to Adrian4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 12 2024 1:18 PM
‎Mar 12 2024 1:18 PM

Maybe I have made an assumption here.  Are you talking about a L3 outound rule, an AutoVPN firewall rule, a group policy firewall rule, or something else?

0 Kudos
In response to PhilipDAth
Adrian4
Head in the Cloud
‎Mar 13 2024 1:19 AM
‎Mar 13 2024 1:19 AM

sry, yes its outbound firewall rules.

I want to block anything from 192.168.0.0/24   172.16.0.0/16    10.0.0.0/8
going to a particular VLAN.

I have those 3 private ranges in a Group. 

All our sites use 1 or more of those private ranges. I just want to have the same rule on every site.


The rule works fine on most sites, but I dont know why. One example of a working site has 2 VLANs configured using ips in the 10.0 range, but none of the others.
It does also advertise a static route in the 172 range.

But it doesnt have anything 192 whatsoever - yet it let me create the rule using the private address Group we made that contains all three private subnets.

If it was behaving consistently, I would expect it to not allow the rule because of the 192 subnet in the group that is set as the source.

0 Kudos
MartinLL
Building a reputation
‎Mar 12 2024 10:21 AM
‎Mar 12 2024 10:21 AM

Use vlan objects in your firewall rules instead. I do that for 150+ sites. Works like a charm.

MLL
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.