Meraki

Community

Singling out Internet for MX Firewall Rules

etb
Getting noticed
‎Dec 31 2019 2:51 PM
‎Dec 31 2019 2:51 PM

Singling out Internet for MX Firewall Rules

This seems like a remedial question, but I have looked through the configuration guides and these forums, and don't feel that I have a clear answer.

 

Is there a way to single out the Internet (uplink ports 1 and 2) in MX firewall rules?  For example, if I have one VLAN (let's call it VLAN3) that I want to be able to access the Internet (outbound), but I want to restrict that VLAN3 from accessing any of my other local VLAN's, what is the best way to accomplish that?

 

My intention is to have a "Deny All" rule at the end, so all traffic that will be permitted will require explicit "allow" rules.  For this specific example above, I assume that I could create an "Allow Any" rule to permit outbound access to the internet from this VLAN3.  But then I would need to create another "deny" rule above that one to deny access to any of the other local VLAN's.  For example:
1  Deny  Any  VLAN3  Any  VLAN1, VLAN2, VLAN4  Any    (deny access to all local VLAN's)
2  Allow  Any  VLAN3  Any  Any  Any     (allow access to the internet)
3  Deny  Any  Any  Any  Any  Any     (default deny all)

 

It would be easier and less prone to error if I could simply have one rule that only allows access to the uplink ports (and nothing else).  For example:
1  Allow  Any  VLAN3  Any  [uplink ports]  Any     (only allow access to the internet)
2  Deny  Any  Any  Any  Any  Any     (default deny all)

 

Is this possible, or is there a better way?

 

My internet connections are cable and DSL modems, so nothing fancy.  I tried configuring my global IP addresses from my ISP's as small VLAN's in my MX, but it didn't seem to like that.  And I'm not sure how that plays with things like the automatic PAT and failover and stuff.

0 Kudos
3 Replies 3
AjitKumar
Head in the Cloud
‎Dec 31 2019 5:35 PM
‎Dec 31 2019 5:35 PM

Hi @etb 

I understand the configuration 1 suggested by you shall be the way out.

I do not see any other better means except to Deny Inter VLAN communication.

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 31 2019 8:45 PM
‎Dec 31 2019 8:45 PM

You can apply group policies via VLAN.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

Rather than create rules to block access to the other specific VLANs, block access to all RFC1918 address space, of if all your VLANS are in once chunk of space (such as 192.168.x.x) block access to all of that (192.168.0.0/16) with one simple rule.

In response to PhilipDAth
etb
Getting noticed
‎Jan 3 2020 11:37 PM
‎Jan 3 2020 11:37 PM

Thanks.  Blocking access to all private address space is definitely more elegant than what I was thinking.  It would still be better if it was possible to directly allow traffic to just the internet/uplink, but this can work.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.