MX84 think it lost connection to Meraki cloud

Solved
tantony
Head in the Cloud

MX84 think it lost connection to Meraki cloud

We've been getting lots of DoS attacks on our Comcast router, so I changed the firewall on the Comcast router from minimum to maximum hoping this will prevent more DoS attacks.

 

I noticed that when I have the Comcast firewall to maximum, Meraki thinks it lost connection to the Meraki Cloud, but obviously not because I can surf the internet.  When I switch the Comcast router firewall to minimum, Meraki regains connection back to the cloud (even though it never lost connection).

 

Any recommendations?  Is it a good idea to have the Comcast / ISP router firewall to maximum?  Is there a way to make MX84 aware it is connected to the cloud?

1 Accepted Solution
BrechtSchamp
Kind of a big deal

It's not because you have access to the internet that the MX has (full) access to the cloud.

 

In your dashboard Help > Firewall Info shows the firewall settings needed for everything to function correctly.

 

The cloud connection mainly needs outgoing UDP to port 7351 on a bunch of addresses.

 

More info here:

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Conne...

 

You can pretty much block all incoming connections (packets that are responses will normally be let through thanks to stateful firewalling). But a real DDoS is hard to stop without specialized technologies.

 

I suppose the maximum security setting on the Comcast blocks certain outgoing connections... but that won't help stopping the DoS attacks. Perhaps you can specifically add Allow rules in the comcast with the above info.

View solution in original post

1 Reply 1
BrechtSchamp
Kind of a big deal

It's not because you have access to the internet that the MX has (full) access to the cloud.

 

In your dashboard Help > Firewall Info shows the firewall settings needed for everything to function correctly.

 

The cloud connection mainly needs outgoing UDP to port 7351 on a bunch of addresses.

 

More info here:

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Conne...

 

You can pretty much block all incoming connections (packets that are responses will normally be let through thanks to stateful firewalling). But a real DDoS is hard to stop without specialized technologies.

 

I suppose the maximum security setting on the Comcast blocks certain outgoing connections... but that won't help stopping the DoS attacks. Perhaps you can specifically add Allow rules in the comcast with the above info.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels