cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Firewall

SOLVED
Go to solution
AlexanderDrago
Getting noticed
‎06-04-2018 08:26 AM
‎06-04-2018 08:26 AM

MX Firewall

Hello!

I create vlans on MX. They work nice, but i have question. I want isolate guest wifi traffic, done it too. But from guest wifi vlan, i can PING gw of another vlan. I trying deny icmp from wifi vlan guest to vlan wifi not guest. Maybe i was wrong anywhere ?

Thank you

0 Kudos
Subscribe
1 ACCEPTED SOLUTION
In response to AlexanderDrago
AlexanderDrago
Getting noticed
‎06-12-2018 08:24 AM
‎06-12-2018 08:24 AM

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping

View solution in original post

Subscribe
16 REPLIES 16
Terrence
Here to help
‎06-04-2018 08:35 AM
‎06-04-2018 08:35 AM

What I have done is to deny my guest WIFI traffic to other VLANs

Under Wireless, Firewall & traffic shaping

change to the guest SSID

add a layer 3 firewall rule

Policy: deny

Protocol: any

Destination: local LAN

Port: any

Comment: description of rule

CMNO, Dell Certified, A+
0 Kudos
Subscribe
In response to Terrence
AlexanderDrago
Getting noticed
‎06-04-2018 08:54 AM
‎06-04-2018 08:54 AM

Thank you.

I done it, but still have ping from vlan guest to vlan not guest

I use tcpdump and find who answered on my ping request. It was my.meraki.net

0 Kudos
Subscribe
In response to Terrence
Adam
Kind of a big deal
‎06-04-2018 09:20 AM
‎06-04-2018 09:20 AM

I believe regardless of whatever rules you set up you'll still be able to ping the VLAN gateways.  But you shouldn't be able to ping any devices inside of that subnet if you have the proper rules configured. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
In response to Adam
AlexanderDrago
Getting noticed
‎06-04-2018 09:30 AM
‎06-04-2018 09:30 AM

Yep, i did rules what close access to hosts in another vlan from guest vlan. But i think its dont right if you can ping gw from another vlans.

Thank you for answered

@Adam wrote:

I believe regardless of whatever rules you set up you'll still be able to ping the VLAN gateways.  But you shouldn't be able to ping any devices inside of that subnet if you have the proper rules configured. 

 

0 Kudos
Subscribe
In response to AlexanderDrago
Adam
Kind of a big deal
‎06-04-2018 10:01 AM
‎06-04-2018 10:01 AM

I have a similar configuration to yours and I also thought it was strange but it seems to be the design of their product.  In the grand scheme of things, it is relatively low risk being able to ping the Gateways. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
In response to Adam
AlexanderDrago
Getting noticed
‎06-04-2018 10:04 AM
‎06-04-2018 10:04 AM

Ok i understand, thank you for aswers
0 Kudos
Subscribe
GuiCarvalho
Getting noticed
‎06-04-2018 10:13 AM
‎06-04-2018 10:13 AM

Hello AlexanderDrago,

If I understood correctly, you are allowed to ping the GWs of another VLANs, but you can ping another devices of these others vlans? Besides the ping, you can access devices of others VLANs?

If the "problem" is only that you are able to ping the GWs, did you tried to block it in the Security Appliance -> Firewall ->
Security appliance services, putting "None" in the "Allowed remote IPs" box?
0 Kudos
Subscribe
In response to GuiCarvalho
GuiCarvalho
Getting noticed
‎06-04-2018 10:18 AM
‎06-04-2018 10:18 AM

AlexanderDrago,

Please disconsider my last phrase. The "Security appliance services" is about services that you can enable or disable to the traffic sourced in the outside interface.
0 Kudos
Subscribe
In response to GuiCarvalho
AlexanderDrago
Getting noticed
‎06-04-2018 10:28 AM
‎06-04-2018 10:28 AM

No, i dont allowed ping gw from vlan guest to vlan work. It was came from "box" of router. But i trying to deny ping on gw from vlan guest to vlan work
0 Kudos
Subscribe
In response to AlexanderDrago
GuiCarvalho
Getting noticed
‎06-04-2018 11:04 AM
‎06-04-2018 11:04 AM

Alexander,

Take a look at this post. I think that will problably help you:

https://community.meraki.com/t5/Security-SD-WAN/Prevent-inter-VLAN-routing-on-MX/td-p/1437
0 Kudos
Subscribe
In response to GuiCarvalho
AlexanderDrago
Getting noticed
‎06-04-2018 01:50 PM
‎06-04-2018 01:50 PM

Ok, thank you i will read this article
0 Kudos
Subscribe
In response to GuiCarvalho
AlexanderDrago
Getting noticed
‎06-05-2018 03:46 AM
‎06-05-2018 03:46 AM

@GuiCarvalho wrote:
Alexander,

Take a look at this post. I think that will problably help you:

https://community.meraki.com/t5/Security-SD-WAN/Prevent-inter-VLAN-routing-on-MX/td-p/1437

No, this solution, dont help me with my problem. So how i understand its "new features" in Meraki

0 Kudos
Subscribe
Tony_Ang
Getting noticed
‎06-12-2018 12:33 AM
‎06-12-2018 12:33 AM

Hi,

 

You can do that by going to Security appliance > Configure > Firewall  then configure it like below.

Let's say your WiFi VLAN is 192.168.0.0/24 and your domain is 10.0.0.0/8.
Choose "Deny" and Protocol "Any" so it will not allow 192.168.0.0/24 client ping or access to any domain IP in this subnet 10.0.0.0/8.

Firewall SettingsFirewall Settings

 

Alternatively you can do in Wireless > Configure > Firewall & traffic shaping

Wireless FirewallWireless Firewallor this should work too

Wireless > Configure > Access Control

Wireless Access ControlWireless Access Control

0 Kudos
Subscribe
In response to Tony_Ang
AlexanderDrago
Getting noticed
‎06-12-2018 06:20 AM
‎06-12-2018 06:20 AM

Yes, i done it. But ping to gw in another VLan working.

0 Kudos
Subscribe
In response to AlexanderDrago
AlexanderDrago
Getting noticed
‎06-12-2018 08:24 AM
‎06-12-2018 08:24 AM

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping

Subscribe
In response to AlexanderDrago
CarolineS
Community Manager
Community Manager
‎06-12-2018 09:05 AM
‎06-12-2018 09:05 AM

@AlexanderDrago wrote:

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping

Marking this as the solution on your behalf, @AlexanderDrago. Thanks for updating the community!!

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki