Singling out Internet for MX Firewall Rules

Here to help

Singling out Internet for MX Firewall Rules

This seems like a remedial question, but I have looked through the configuration guides and these forums, and don't feel that I have a clear answer.


Is there a way to single out the Internet (uplink ports 1 and 2) in MX firewall rules?  For example, if I have one VLAN (let's call it VLAN3) that I want to be able to access the Internet (outbound), but I want to restrict that VLAN3 from accessing any of my other local VLAN's, what is the best way to accomplish that?


My intention is to have a "Deny All" rule at the end, so all traffic that will be permitted will require explicit "allow" rules.  For this specific example above, I assume that I could create an "Allow Any" rule to permit outbound access to the internet from this VLAN3.  But then I would need to create another "deny" rule above that one to deny access to any of the other local VLAN's.  For example:
1  Deny  Any  VLAN3  Any  VLAN1, VLAN2, VLAN4  Any    (deny access to all local VLAN's)
2  Allow  Any  VLAN3  Any  Any  Any     (allow access to the internet)
3  Deny  Any  Any  Any  Any  Any     (default deny all)


It would be easier and less prone to error if I could simply have one rule that only allows access to the uplink ports (and nothing else).  For example:
1  Allow  Any  VLAN3  Any  [uplink ports]  Any     (only allow access to the internet)
2  Deny  Any  Any  Any  Any  Any     (default deny all)


Is this possible, or is there a better way?


My internet connections are cable and DSL modems, so nothing fancy.  I tried configuring my global IP addresses from my ISP's as small VLAN's in my MX, but it didn't seem to like that.  And I'm not sure how that plays with things like the automatic PAT and failover and stuff.

Head in the Cloud

Hi @etb 

I understand the configuration 1 suggested by you shall be the way out.

I do not see any other better means except to Deny Inter VLAN communication.


Kind of a big deal

You can apply group policies via VLAN. 


Rather than create rules to block access to the other specific VLANs, block access to all RFC1918 address space, of if all your VLANS are in once chunk of space (such as 192.168.x.x) block access to all of that ( with one simple rule.

Thanks.  Blocking access to all private address space is definitely more elegant than what I was thinking.  It would still be better if it was possible to directly allow traffic to just the internet/uplink, but this can work.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.