@HiroNg wrote:
Hi Nash,
These are server and non-meraki switch management subnet and it did participate in VPN.
My target is to allow several HUB subnet to manage the local management server, and deny tcp 10.0.0.0/8 to access this management. So other remote sites cannot access into the management subnet.
I saw there are site-to-site outbound firewall and site-to-site inbound firewall.
How should i do in this situation?
Thank you.
Only use the site-to-site outbound firewall rules. The inbound site-to-site firewall rules are not applied, see the note here
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior#Note_-_...: Note that there is currently a section for inbound firewall rules displayed in the Meraki dashboard. However, inbound firewall rules cannot be configured, and this is an error which will be resolved in a future dashboard update. Any rules saved in this field will not be preserved and will have no effect.
If I understand your question correctly, you should setup the site-to-site outbound firewall with 10.0.0.0/8 as a source address and the management VLAN subnet as destination. That should work. However note that RDP may also use UDP instead of TCP. In that case it would circumvent your TCP rule.