cancel
Showing results for 
Search instead for 
Did you mean: 

MX Firewall

SOLVED
Getting noticed

MX Firewall

Hello!

I create vlans on MX. They work nice, but i have question. I want isolate guest wifi traffic, done it too. But from guest wifi vlan, i can PING gw of another vlan. I trying deny icmp from wifi vlan guest to vlan wifi not guest. Maybe i was wrong anywhere ?

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Getting noticed

Re: MX Firewall

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping

16 REPLIES 16
Here to help

Re: MX Firewall

What I have done is to deny my guest WIFI traffic to other VLANs

Under Wireless, Firewall & traffic shaping

change to the guest SSID

add a layer 3 firewall rule

Policy: deny

Protocol: any

Destination: local LAN

Port: any

Comment: description of rule

CMNO, Dell Certified, A+
Getting noticed

Re: MX Firewall

Thank you.

I done it, but still have ping from vlan guest to vlan not guest

I use tcpdump and find who answered on my ping request. It was my.meraki.net

Kind of a big deal

Re: MX Firewall

I believe regardless of whatever rules you set up you'll still be able to ping the VLAN gateways.  But you shouldn't be able to ping any devices inside of that subnet if you have the proper rules configured. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Getting noticed

Re: MX Firewall

Yep, i did rules what close access to hosts in another vlan from guest vlan. But i think its dont right if you can ping gw from another vlans.

Thank you for answered


@Adam wrote:

I believe regardless of whatever rules you set up you'll still be able to ping the VLAN gateways.  But you shouldn't be able to ping any devices inside of that subnet if you have the proper rules configured. 


 

Kind of a big deal

Re: MX Firewall

I have a similar configuration to yours and I also thought it was strange but it seems to be the design of their product.  In the grand scheme of things, it is relatively low risk being able to ping the Gateways. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Getting noticed

Re: MX Firewall

Ok i understand, thank you for aswers
Here to help

Re: MX Firewall

Hello AlexanderDrago,

If I understood correctly, you are allowed to ping the GWs of another VLANs, but you can ping another devices of these others vlans? Besides the ping, you can access devices of others VLANs?

If the "problem" is only that you are able to ping the GWs, did you tried to block it in the Security Appliance -> Firewall ->
Security appliance services, putting "None" in the "Allowed remote IPs" box?
Highlighted
Here to help

Re: MX Firewall

AlexanderDrago,

Please disconsider my last phrase. The "Security appliance services" is about services that you can enable or disable to the traffic sourced in the outside interface.
Getting noticed

Re: MX Firewall

No, i dont allowed ping gw from vlan guest to vlan work. It was came from "box" of router. But i trying to deny ping on gw from vlan guest to vlan work
Here to help

Re: MX Firewall

Alexander,

Take a look at this post. I think that will problably help you:

https://community.meraki.com/t5/Security-SD-WAN/Prevent-inter-VLAN-routing-on-MX/td-p/1437
Getting noticed

Re: MX Firewall

Ok, thank you i will read this article
Getting noticed

Re: MX Firewall


@GuiCarvalho wrote:
Alexander,

Take a look at this post. I think that will problably help you:

https://community.meraki.com/t5/Security-SD-WAN/Prevent-inter-VLAN-routing-on-MX/td-p/1437

No, this solution, dont help me with my problem. So how i understand its "new features" in Meraki

Getting noticed

Re: MX Firewall

Hi,

 

You can do that by going to Security appliance > Configure > Firewall  then configure it like below.

Let's say your WiFi VLAN is 192.168.0.0/24 and your domain is 10.0.0.0/8.
Choose "Deny" and Protocol "Any" so it will not allow 192.168.0.0/24 client ping or access to any domain IP in this subnet 10.0.0.0/8.

Capture.PNGFirewall Settings

 

Alternatively you can do in Wireless > Configure > Firewall & traffic shaping

Capture.PNGWireless Firewallor this should work too

Wireless > Configure > Access Control

Capture.PNGWireless Access Control

Getting noticed

Re: MX Firewall

Yes, i done it. But ping to gw in another VLan working.

Getting noticed

Re: MX Firewall

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping

Community Manager

Re: MX Firewall


@AlexanderDrago wrote:

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping


Marking this as the solution on your behalf, @AlexanderDrago. Thanks for updating the community!!

Caroline S | Community Manager, Cisco Meraki | @merakicaroline
New to the community? Get started here
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.