MX Firewall

SOLVED
AlexanderDrago
Getting noticed

MX Firewall

Hello!

I create vlans on MX. They work nice, but i have question. I want isolate guest wifi traffic, done it too. But from guest wifi vlan, i can PING gw of another vlan. I trying deny icmp from wifi vlan guest to vlan wifi not guest. Maybe i was wrong anywhere ?

Thank you

1 ACCEPTED SOLUTION

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping

View solution in original post

16 REPLIES 16
Terrence
Here to help

What I have done is to deny my guest WIFI traffic to other VLANs

Under Wireless, Firewall & traffic shaping

change to the guest SSID

add a layer 3 firewall rule

Policy: deny

Protocol: any

Destination: local LAN

Port: any

Comment: description of rule

CMNO, Dell Certified, A+

Thank you.

I done it, but still have ping from vlan guest to vlan not guest

I use tcpdump and find who answered on my ping request. It was my.meraki.net

Adam
Kind of a big deal

I believe regardless of whatever rules you set up you'll still be able to ping the VLAN gateways.  But you shouldn't be able to ping any devices inside of that subnet if you have the proper rules configured. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Yep, i did rules what close access to hosts in another vlan from guest vlan. But i think its dont right if you can ping gw from another vlans.

Thank you for answered


@Adam wrote:

I believe regardless of whatever rules you set up you'll still be able to ping the VLAN gateways.  But you shouldn't be able to ping any devices inside of that subnet if you have the proper rules configured. 


 

Adam
Kind of a big deal

I have a similar configuration to yours and I also thought it was strange but it seems to be the design of their product.  In the grand scheme of things, it is relatively low risk being able to ping the Gateways. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Ok i understand, thank you for aswers
GuiCarvalho
Getting noticed

Hello AlexanderDrago,

If I understood correctly, you are allowed to ping the GWs of another VLANs, but you can ping another devices of these others vlans? Besides the ping, you can access devices of others VLANs?

If the "problem" is only that you are able to ping the GWs, did you tried to block it in the Security Appliance -> Firewall ->
Security appliance services, putting "None" in the "Allowed remote IPs" box?

AlexanderDrago,

Please disconsider my last phrase. The "Security appliance services" is about services that you can enable or disable to the traffic sourced in the outside interface.

No, i dont allowed ping gw from vlan guest to vlan work. It was came from "box" of router. But i trying to deny ping on gw from vlan guest to vlan work

Alexander,

Take a look at this post. I think that will problably help you:

https://community.meraki.com/t5/Security-SD-WAN/Prevent-inter-VLAN-routing-on-MX/td-p/1437

Ok, thank you i will read this article


@GuiCarvalho wrote:
Alexander,

Take a look at this post. I think that will problably help you:

https://community.meraki.com/t5/Security-SD-WAN/Prevent-inter-VLAN-routing-on-MX/td-p/1437

No, this solution, dont help me with my problem. So how i understand its "new features" in Meraki

Tony_Ang
Getting noticed

Hi,

 

You can do that by going to Security appliance > Configure > Firewall  then configure it like below.

Let's say your WiFi VLAN is 192.168.0.0/24 and your domain is 10.0.0.0/8.
Choose "Deny" and Protocol "Any" so it will not allow 192.168.0.0/24 client ping or access to any domain IP in this subnet 10.0.0.0/8.

Firewall SettingsFirewall Settings

 

Alternatively you can do in Wireless > Configure > Firewall & traffic shaping

Wireless FirewallWireless Firewallor this should work too

Wireless > Configure > Access Control

Wireless Access ControlWireless Access Control

Yes, i done it. But ping to gw in another VLan working.

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping


@AlexanderDrago wrote:

Hello!

Everyone, my colleague and me find solution. Use Switch - IPv4 ACL and add rule to close ping


Marking this as the solution on your behalf, @AlexanderDrago. Thanks for updating the community!!

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels