Meraki

Community

Seeking Assistnace for Firewall/Port Access Across VLAN

Solved
jj_inno
Here to help
‎Mar 18 2021 6:36 AM
‎Mar 18 2021 6:36 AM

Seeking Assistnace for Firewall/Port Access Across VLAN

[ Greetings! ]

 

I am new to working within the Cisco environment, and though I like to believe I understand the theory of firewalls and ports, I am having trouble putting theory into practice.

 

At the moment I am attempting to get a UniFi set-up on one VLAN to communicate with a UniFi controller on another VLAN.

 

 

[ Situation ]

 

+ Items of Interest +

 * Meraki MX84

 * UniFi set-up (AGP, Gateway, etc)

 * UniFi controller

 

+ Environment +

 * UniFi set-up behind Meraki MX84 as VLAN 5

 * UniFi controller behind Meraki MX84 as VLAN 1 (the "general" default VLAN)

 * UniFi set-up and UniFi controller do not share the same port

 

 

+ Notes +

 * VLAN 5 can ping and connect with devices on other VLAN networks

 * VLAN's other than 5 cannot ping into anything within the VLAN 5 network

 

[ Goal ]

 

If I am correct, I need to open the appropriate ports to allow the UniFi set-up on VLAN 5 to communicate with the UniFi controller on VLAN 1.

 

My troubles are, I don't understand how ports work within the Meraki system. It isn't intuitive and some of it doesn't make sense (such as how all incoming traffic, by default, is blocked, yet all traffic flows into the VLANs?).

 

I'm guessing what I need to do, is create a Group Policy for VLAN 5 with Firewall Outbound rules that allow those specific ports to communicate from VLAN5 to VLAN1, and then create a policy for VLAN 1 to allow those ports to communicate back to VLAN 5.

 

OR

 

Add Port Forwarding rules within 1:1 NAT.

 

 

Any assistance here would be lovely. Please assume me dumb, as if examples and references need to be made.

0 Kudos
1 Accepted Solution
In response to MarcP
jj_inno
Here to help
‎Mar 23 2021 7:36 AM
‎Mar 23 2021 7:36 AM

The issue was that the Deny rule was listed first, and every rule after that was bound to the first rule, so nothing could communicate, because the first rule said to Deny All.

 

Though I recognize that the Deny rule is for VLAN 3, that appears to have been the issue, because everything worked after that, and I moved the rules around to check if that was the issue, and it appears that it was.

 

Screenshot (6).png

View solution in original post

0 Kudos
11 Replies 11
jj_inno
Here to help
‎Mar 18 2021 7:10 AM
‎Mar 18 2021 7:10 AM

I have tried opening Outbound ports within the Policy for the VLAN 5, as well as opening Outbound ports within the Firewall rules, with no success.

 

In fact, I just did a general opening of all ports/protocol types on both ends, but cannot communicate with anything on the VLAN 5 still.

0 Kudos
In response to jj_inno
MarcP
Kind of a big deal
‎Mar 18 2021 7:17 AM
‎Mar 18 2021 7:17 AM

ICMP not allowed? - same page as Outbound rules. Just a guess...

Another firewall in between which is blocking?

 

MarcP_0-1616077026375.png

 

0 Kudos
In response to MarcP
jj_inno
Here to help
‎Mar 18 2021 7:24 AM
‎Mar 18 2021 7:24 AM

Screenshot (25).png

0 Kudos
In response to jj_inno
ww
Kind of a big deal
Kind of a big deal
‎Mar 18 2021 8:20 AM
‎Mar 18 2021 8:20 AM

Meraki mx does not block anything between local vlans. 

Unless you have set some fw rules.

Did you create  a allow ping fw rule in the unify Gateway?

Can you Put them in the same vlan and see if it works then.?

0 Kudos
In response to ww
jj_inno
Here to help
‎Mar 18 2021 8:53 AM
‎Mar 18 2021 8:53 AM

[ Firewall Rules (found under Configuration) ]

 

Screenshot (26).png

 

[ Policy Rules Applied to VLAN 5 ]

 

Screenshot (27).png

0 Kudos
In response to jj_inno
MarcP
Kind of a big deal
‎Mar 19 2021 3:41 AM
‎Mar 19 2021 3:41 AM

Have you tried to put a device into vlan1 as well to check if it works, as @ww mentioned?

0 Kudos
In response to MarcP
jj_inno
Here to help
‎Mar 19 2021 7:43 AM
‎Mar 19 2021 7:43 AM

Oh! I missed that part! @ww My apologies

 

They were originally on the same VLAN and could communicate fine.

 

The change to a new VLAN has been a recent change.

0 Kudos
In response to jj_inno
MarcP
Kind of a big deal
‎Mar 22 2021 2:54 AM
‎Mar 22 2021 2:54 AM

Maybe there ist something blocked within the Unifi devices not allowing to get a connection from another vlan?

0 Kudos
In response to MarcP
jj_inno
Here to help
‎Mar 22 2021 5:13 AM
‎Mar 22 2021 5:13 AM

I'm not sure, though I will look further into that question.

 

Does this mean that the rules that I setup look correct at least?

0 Kudos
In response to jj_inno
MarcP
Kind of a big deal
‎Mar 22 2021 5:22 AM
‎Mar 22 2021 5:22 AM

I don´t work with FW Rules on Meraki side... But as the last rule is any any allow, only the deny will take real effect.

 

With these allow rules you just can see the hit counter going up, which is good as well, in some cases.

In response to MarcP
jj_inno
Here to help
‎Mar 23 2021 7:36 AM
‎Mar 23 2021 7:36 AM

The issue was that the Deny rule was listed first, and every rule after that was bound to the first rule, so nothing could communicate, because the first rule said to Deny All.

 

Though I recognize that the Deny rule is for VLAN 3, that appears to have been the issue, because everything worked after that, and I moved the rules around to check if that was the issue, and it appears that it was.

 

Screenshot (6).png

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.