When we purchased Meraki, we were told that we could create an OT networks. These networks would be blocked from all other networks. This included the remote networks. We were also promised a way to access those networks using an amazing tool called meraki group policy. The sales man told us how it worked was the Local firewalls would be overwritten by the site-to-site firewalls. As he stated, it was Local, Network wide, and then Org. The deployment pre deployment manager agreed with him. He explained that the site-to-site was a network wide item. Thus, working through this logic, we setup local firewall rules to block local traffic. Then we set up site-to-site firewall rules to block traffic between the sites. (mesh). Then we setup the group policies to allow access to the required users. (Vendors). However, this doesn't work as expected. The group policy does not over write the site-to-site. According to two techs the site to site is a org level, which is higher than network wide. This has thrown a wrench my full setup. After speaking with two different support reps, I have been told by the reps that I can setup local firewall rules to block devices on the other side of the vpn. However this isn't work either. I will give you an example of what they have told me.
Two cities: LA and Chicago
I placed these firewall rules on the local as explained to me by the support reps.
LA: Blocks all traffic on 10.10.100.0/24 (LA OT) going to 10.11.100.0/24 (Chicago Main)
LA: Blocks all traffic on 10.11.100.0/24 (Chicago Main) going to 10.10.100.0/24 (LA OT)
Chicago: Blocks all traffic on 10.10.100.0/24 (LA OT) going to 10.11.100.0/24 (Chicago Main)
Chicago: Blocks all traffic on 10.11.100.0/24 (Chicago Main) going to 10.10.100.0/24 (LA OT)
According to the reps, this should prevent all traffic from 10.11.100.0/24 to the 10.10.100.0/24 network and visa versa. However, I can ping from a machine level between the two networks.
How can I block traffic from one side of the vpn to another side of the vpn with local firewall rules? Or is there a way to make the Meraki Group Policy overwite the firewall rules somehow?