Need help with firewall rules

RBIVAR
Just browsing

Need help with firewall rules

Team,

 

In short, I have 2 VLANs. 192.168.32.x and 172.16.1.y. All work well so far... 

172.16.1.y will be DMZ, while 192.168.32.x will be internal network...

so I've created firewall rules on the mx64 to deny any access from 172.16.1.y/24 to 192.168.32.x/24. Saved.

 

... I can still ping the internal network from a computer i've added on the DMZ. What am I missing?

 

from 172.16.1.11:

image.png

 

the rule on the MX64:

image.png

there are NO other rules before this one with any Allow statement for icmp.

 

thanks in advance for your help.

 

tks

Rafa

5 REPLIES 5
Ethical
New here

That rule is spot on. 

 

There should be no reason there is communication unless your switching has some funky layer 3 setup and is passing traffic between subnets before hitting the rule.

 

What is your switch setup?

PhilipDAth
Kind of a big deal
Kind of a big deal

Do either of the two machines have two NICs in them, one in each subnet?

interesting... but yes.

both are VMs running on same host, different vswitches.

 

host1-nic0 (192.168) <> MS220-1 <> MX64 <> MS220-2 <> host1-nic1

from a vswitch perspective, i have vswitch0 with nic0 -- 192.168 and vswitch1 with nic1 -- 172.16.

while pinging the devices, i could go to event log on meraki dashboard and it would show up the icmp traffic.

 

bump

I would personally connect 2 Pc's into the MX device on those subnets and see if you can speak to each other over them. This would rule out your MX doing anything funky then work back and you will find your problem. As right now there is no solid genuine answer why its not working. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels