Meraki

WaterBack · ‎Mar 12 2019

Hi all,

Is there a way to deny identified traffic that going through the VPN tunnel when the MX used it Cellular interface (USB), but this traffic is normally granted in the VPN tunnel when the MX use it primary WAN1 circuit ? This is to manage the data package on the LTE service to grant only business critical service.

jdsilva · ‎Mar 12 2019

@WaterBack Right! That was what I recall finding too. I was never able to find a way to enforce ACL's inside a VPN tunnel while the MX is using it's cellular interface only.

http://blog.brokennetwork.ca |

@jdsilva

View solution in original post

NolanHerring · ‎Mar 12 2019

You would have to use the firewall rules, specifically the cellular ones, to allow only what you want and then deny any any at the end.

Nolan Herring | nolanwifi.com

jdsilva · ‎Mar 12 2019

@NolanHerring wrote:
You would have to use the firewall rules, specifically the cellular ones, to allow only what you want and then deny any any at the end.

I think I tested this and the cellular FW rules were enforced AFTER traffic was IPsec encrypted, meaning you can't block specific flows inside the tunnel, only the tunnel itself.

I haven't checked this in a while, and my memory might be off... Can anyone confirm or deny?

http://blog.brokennetwork.ca |

@jdsilva

WaterBack · ‎Mar 12 2019

You are right if the traffic is not part of a VPN tunnel.

But base on the documentation:

When traffic passing through the MX matches a site-to-site VPN route, VPN firewall rules are applied in descending order. VPN traffic is only subject to the site-to-site firewall rules and is never subject to Layer 3 firewall rules.

Then, I do not think this is the way to go, but I'm may be in error since I never do that in a MX before.

jdsilva · ‎Mar 12 2019

@WaterBack Right! That was what I recall finding too. I was never able to find a way to enforce ACL's inside a VPN tunnel while the MX is using it's cellular interface only.

http://blog.brokennetwork.ca |

@jdsilva