MX Layer3 Firewall - Filter inter vlan/routed traffic issues

DevOps_RC
Getting noticed

MX Layer3 Firewall - Filter inter vlan/routed traffic issues

Good day all,

We have the following setup (roughly):

DevOps_RC_1-1713191967485.png

I've simplified it in the diagram, as we technically have multiple vlans off the different connections, but basically I want to prevent all traffic from 192.168.0.0/24 getting to 10.1.0.0/24, but allow 10.112.5.0/24 access to 10.1.0.0/24. I can create the rules, and while traffic appears to be blocked, the allow isn't. Is the issue that the subnets that are the sources aren't locally set on the MX appliance as they are routed from the 172.16.0.0/24 subnet? I have a source-based routing enabled on the 10.1.0.0/24 subnet to default route through 172.16.0.0/24?

Any help would be appreciated.

 

4 Replies 4
ww
Kind of a big deal
Kind of a big deal

Without firewall rules everything works and is reachable?

Can you show us the firewall rules you trying to apply

PhilipDAth
Kind of a big deal
Kind of a big deal

>Is the issue that the subnets that are the sources aren't locally set on the MX appliance as they are routed from the 172.16.0.0/24 subnet?

I'm not clear what the issue is.

 

The 10.1.0.0/24 should have a default route pointing to the MX,  The MX should have a static route for 192.168.0.0/24 and 10.112.5.0/25 via the router.  The router should have a static route for 10.1.0.0/24 point to the MX (or have a default route pointing to the MX).

There is no need for source routing.

Brash
Kind of a big deal
Kind of a big deal

As advised above, check your routing.
Without additional information and testing, it seems like the most logical place for there to be an issue.

DevOps_RC
Getting noticed

Thank you all for your replies. The interfaces/networks on the MX are more complicated than in the diagram, I just simplified it to try to remove any confusion. We have 5 different vlans/subnets, each with their own source-based route as the MX is also used to tunnel some wireless traffic, and the default gateway for each of these subnets is actually the router, which has those 5 interfaces/subnets on them.

I think the issue is routing, but on the return of the traffic. If I disable all firewall rules traffic originating from 10.1.0.0/24 can get to 10.112.5.0/24, however traffic originating from 10.112.5.0/24 passes through the MX to 10.1.0.0/24 (As can be seen in packet captures) and I can see the responses, but I suspect it's then following default routes, rather than source based routing for the return traffic. I'll confirm this by running packet captures on the different interfaces on the MX and check for the reply traffic going down a wrong route...

The firewall rules are working correctly as the ACL hit count is increasing as I send test data, so not as I originally thought being an issues with L3 firewall rules.

 

Once again, thanks for your responses, hopefully I can figure this out.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels