Port Forwarding and Firewall Rules

SOLVED
Zac123
Here to help

Port Forwarding and Firewall Rules

Hi all:

 

Does any one know if Port forwarding rules are affected by Firewall rules?

 

Say I configure a port forwarding rule (on an MX with its WAN interface directly on the internet) to forward TCP 22 (SSH) to a server on a private subnet connected to the MX.  Then say I don't want someone from 1.2.3.4 to SSH in so I create a firewall rule that looks like this:

Zac123_0-1636499062550.png

 

Would someone from 1.2.3.4 still be able to SSH in?  I tried something like this, but with RDP and I could still RDP in even though I had a firewall rule preventing any source IP and sourcing from the RDP port to my public IP and it still worked.  It's as if the firewall rule isn't considered because of the port forward rule.

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal
Kind of a big deal

Meraki Support can enable a beta feature named "custom layer 3 inbound firewall rules" where you have more flexibility in controlling the inbound way similar to what is available now for outbound rules. Perhaps this feature is of benefit for you.

View solution in original post

5 REPLIES 5
KarstenI
Kind of a big deal
Kind of a big deal

The firewall rules are not for inbound traffic. They only control traffic from VLANs to the internet and between VLANs. That is the reason your tests did not block RDP.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

Brash
Kind of a big deal
Kind of a big deal

Adding to @KarstenI 's reply.

The firewall rule you've got in the screenshot is for SSH connections initiated inside your network with a destination of 1.2.3.4. It does not apply to SSH connections inbound from 1.2.3.4.

 

If you have inbound connections from specific IP's that you want to port forward, you can apply them in the port forwarding rule under "Allowed Remote IP's"

ww
Kind of a big deal
Kind of a big deal

At the port forwarding setting you can specify what remote ip is allowed.

 

You can also use a group policy assigned to vlan or  client

Zac123
Here to help

Thanks for the quick replies all!  That's too bad that I can't block that from the firewall page.  That seems like the most logical place to me.  I tried applying a group policy to the client and that worked as expected.  Another reason I wish the "firewall rule" way worked is because those can be logged.  I don't see an option to log hits on Group Policies.

KarstenI
Kind of a big deal
Kind of a big deal

Meraki Support can enable a beta feature named "custom layer 3 inbound firewall rules" where you have more flexibility in controlling the inbound way similar to what is available now for outbound rules. Perhaps this feature is of benefit for you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels