Hi Nash, 

Yes, I have Site to Site VPN setup to a number of remote sites. 

The firewall rules setup are under Security & SDWAN-Firewall there to deny tcp 10.0.0.0/8 to my current site management vlan. 

However my remote sites still allow to RDP and web to current site management vlan. 

Thank you. 

Oh I see, okay.

Is your management network participating in the VPN? Does it need to be accessible by any remote sites?

Hi Nash, 

These are server and non-meraki switch management subnet and it did participate in VPN. 

My target is to allow several HUB subnet to manage the local management server, and deny tcp 10.0.0.0/8 to access this management. So other remote sites cannot access into the management subnet. 

I saw there are site-to-site outbound firewall and site-to-site inbound firewall. 

How should i do in this situation? 

Thank you. 

I have these 2 rules under Security & SD-WAN under firewall already, but it didn't take effect. 

My target is to allow several HUB subnet to manage the local management subnet, and deny tcp 10.0.0.0/8 to access this local management. So other remote sites cannot access into the management subnet server. 

I have another rules under firewall to block local LAN subnet to access local management, it work perfectly in Security & SD-WAN under firewall. 

Thank you. 

---

@HiroNg wrote:

Hi Nash, 

 

These are server and non-meraki switch management subnet and it did participate in VPN. 

My target is to allow several HUB subnet to manage the local management server, and deny tcp 10.0.0.0/8 to access this management. So other remote sites cannot access into the management subnet. 

 

I saw there are site-to-site outbound firewall and site-to-site inbound firewall. 

 

How should i do in this situation? 

 

Thank you. 

 

 

---

Only use the site-to-site outbound firewall rules. The inbound site-to-site firewall rules are not applied, see the note here

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior#Note_-_...: Note that there is currently a section for inbound firewall rules displayed in the Meraki dashboard. However, inbound firewall rules cannot be configured, and this is an error which will be resolved in a future dashboard update. Any rules saved in this field will not be preserved and will have no effect.

If I understand your question correctly, you should setup the site-to-site outbound firewall with 10.0.0.0/8 as a source address and the management VLAN subnet as destination. That should work. However note that RDP may also use UDP instead of TCP. In that case it would circumvent your TCP rule.

Hi Nash,

i read the URL you sent, it did mentioned  

(This rule will never be applied as the source subnet is not a LAN subnet on the MX:)

if i put deny tcp 10.0.0.0/8 as source and local management as destination, it will not work right?

Thank you.

---

@HiroNg wrote:

Hi Nash,

 

i read the URL you sent, it did mentioned  

 

(This rule will never be applied as the source subnet is not a LAN subnet on the MX:)

 

if i put deny tcp 10.0.0.0/8 as source and local management as destination, it will not work right?

 

Thank you.

---

That comment relates to a 3rd party VPN tunnel where the subnet defined as the source is indeed not local to any of the MX's so the rule would be ignored. If I followed correctly, in your case it's autoVPN between MX's in a hub-and-spoke setup. The source subnet would be the local subnet on your branch so that is "local" to your branch MX. So it should work.

I added, it is working. remote site cannot access to local management subnet now, only certain authorize hub subnet can access management subnet. 

I thinking, i have added the rules in Security & SD-WAN --> Firewall, why it didn't function as it is. So the firewall rules doesn't function for site-to-site VPN? 

Thank you. 

Regards,

Collin Ng

Hi Nash, 

Got it. It should solve my issue now. 

Thank you.