Seeking Assistnace for Firewall/Port Access Across VLAN

SOLVED
jj_inno
Here to help

Seeking Assistnace for Firewall/Port Access Across VLAN

[ Greetings! ]

 

I am new to working within the Cisco environment, and though I like to believe I understand the theory of firewalls and ports, I am having trouble putting theory into practice.

 

At the moment I am attempting to get a UniFi set-up on one VLAN to communicate with a UniFi controller on another VLAN.

 

 

[ Situation ]

 

+ Items of Interest +

 * Meraki MX84

 * UniFi set-up (AGP, Gateway, etc)

 * UniFi controller

 

+ Environment +

 * UniFi set-up behind Meraki MX84 as VLAN 5

 * UniFi controller behind Meraki MX84 as VLAN 1 (the "general" default VLAN)

 * UniFi set-up and UniFi controller do not share the same port

 

 

+ Notes +

 * VLAN 5 can ping and connect with devices on other VLAN networks

 * VLAN's other than 5 cannot ping into anything within the VLAN 5 network

 

[ Goal ]

 

If I am correct, I need to open the appropriate ports to allow the UniFi set-up on VLAN 5 to communicate with the UniFi controller on VLAN 1.

 

My troubles are, I don't understand how ports work within the Meraki system. It isn't intuitive and some of it doesn't make sense (such as how all incoming traffic, by default, is blocked, yet all traffic flows into the VLANs?).

 

I'm guessing what I need to do, is create a Group Policy for VLAN 5 with Firewall Outbound rules that allow those specific ports to communicate from VLAN5 to VLAN1, and then create a policy for VLAN 1 to allow those ports to communicate back to VLAN 5.

 

OR

 

Add Port Forwarding rules within 1:1 NAT.

 

 

Any assistance here would be lovely. Please assume me dumb, as if examples and references need to be made.

1 ACCEPTED SOLUTION

The issue was that the Deny rule was listed first, and every rule after that was bound to the first rule, so nothing could communicate, because the first rule said to Deny All.

 

Though I recognize that the Deny rule is for VLAN 3, that appears to have been the issue, because everything worked after that, and I moved the rules around to check if that was the issue, and it appears that it was.

 

Screenshot (6).png

View solution in original post

11 REPLIES 11
jj_inno
Here to help

I have tried opening Outbound ports within the Policy for the VLAN 5, as well as opening Outbound ports within the Firewall rules, with no success.

 

In fact, I just did a general opening of all ports/protocol types on both ends, but cannot communicate with anything on the VLAN 5 still.

MarcP
Kind of a big deal

ICMP not allowed? - same page as Outbound rules. Just a guess...

Another firewall in between which is blocking?

 

MarcP_0-1616077026375.png

 

Screenshot (25).png

ww
Kind of a big deal
Kind of a big deal

Meraki mx does not block anything between local vlans. 

Unless you have set some fw rules.

Did you create  a allow ping fw rule in the unify Gateway?

Can you Put them in the same vlan and see if it works then.?

jj_inno
Here to help

[ Firewall Rules (found under Configuration) ]

 

Screenshot (26).png

 

[ Policy Rules Applied to VLAN 5 ]

 

Screenshot (27).png

MarcP
Kind of a big deal

Have you tried to put a device into vlan1 as well to check if it works, as @ww mentioned?

Oh! I missed that part! @ww My apologies

 

They were originally on the same VLAN and could communicate fine.

 

The change to a new VLAN has been a recent change.

MarcP
Kind of a big deal

Maybe there ist something blocked within the Unifi devices not allowing to get a connection from another vlan?

I'm not sure, though I will look further into that question.

 

Does this mean that the rules that I setup look correct at least?

MarcP
Kind of a big deal

I don´t work with FW Rules on Meraki side... But as the last rule is any any allow, only the deny will take real effect.

 

With these allow rules you just can see the hit counter going up, which is good as well, in some cases.

The issue was that the Deny rule was listed first, and every rule after that was bound to the first rule, so nothing could communicate, because the first rule said to Deny All.

 

Though I recognize that the Deny rule is for VLAN 3, that appears to have been the issue, because everything worked after that, and I moved the rules around to check if that was the issue, and it appears that it was.

 

Screenshot (6).png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels