Hello all,
I have multiple SSIDs and I have Vlans configured for each SSID. This is working fine, how ever I want to configure a rule on the MX to stop traffic passing to the other VLANs as they are protected.
I have created a deny rule on the meraki mx for outbound (as per I understand) restricting the VLANs. The rule was source - vlan 1 dest vlan 2 any any deny rule.
How ever I can still ping devices on the other VLAN, any pointers please?
Solved! Go to solution.
Could you please confirm if the deny rule has been applied under Firewall & Traffic Shaping in the Wireless section? To check, navigate to Wireless > Configure > Firewall & Traffic Shaping.
Just a quick reminder—when setting up the deny rule for VLAN traffic, you’ll need to apply the rule separately for each SSID
I've just applied the rule at MX firewall not at the Wireless firewall.
Apply the rule on a single SSID first and check if it works as expected. You can do this by navigating to Wireless > Configure > Firewall & Traffic Shaping for the specific SSID and adding the rule there.
Like this
Are you testing using the MX appliance ping tool or actually a device in the VLAN pinging across to the other VLAN?
The MX appliance ping test tool will not be blocked by the layer 3 outbound firewall policies.
Pinging from device in vlan1 to a device in vlan 2
You can see below the top two rules that block the IoT VLAN from talking to the default VLAN except for a very specific case:
Sorted thank you - I rebooted the MX now working fine
Bear in mind that, for the majority of flows, recent MX firmware does block traffic through a new rule, pretty much immediately. In my experience it's only ICMP that needs to age / be removed from current flow tables to function. So if you don't use ping as your test, you'll probably find that traffic fails straight away.