Meraki Community

Fabian1

Hi everyone,

I'm just wondering what firewall rules (VPN or basic layer 3) are used when you define destinations, that are not going over the 0.0.0.0/0 default 3rd party VPN tunnel.

I configured local internet breakout for the Meraki cloud connect and I'm not sure if I still have to add the Meraki ports in the VPN firewall or the firewall for internet traffic, or maybe both... Couldn't find the documentation here...

Thank you

Fabian1

Answer from support:

When MX matches the local internet breakout rule for the traffic, it sends it outbound locally via WAN and not via Site-to-site VPN. This means that the outbound firewall rules will be considered (Security & SD-WAN → Firewall page), not the S2S VPN rules (Security & SD-WAN → Site-to-site VPN page).

View solution in original post

alemabrahao

Sorry, but I didn't quite understand your question.

Like this ? "I'm not sure if I still need to add the Meraki ports in the VPN firewall or in the firewall for Internet traffic"

Can you contextualize it a little better?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Fabian1

There are two firewalls on the MX, the site-to-site vpn outbout firewall and the firewall under configuration.

For vpn traffic, you have to configure the vpn firewall

alemabrahao

Sorry, but I still don't understand.

Do you have 2 different MXes, one just for the S2S VPN and the other for the internet?

Why that?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Fabian1

No, I have one MX

On that on MX I have configured a default route to a 3rd party vpn.

But I don't want the Meraki Cloud traffic (switch, access point behind the mx) being routed to the tunnel, that should go directly to the internet. I configured that under VPN Local Breakout.

Now I have to allow that traffic on Site-to-site outbound firewall or/and the layer 3 outbound firewall. Where do I have to configure that?

alemabrahao

If you don't want traffic from these devices to go through the tunnel, why don't you configure the VPN Exclusion Rules?

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Fabian1

I did that...

My question is, on which firewall I have to do the rules for the traffic to Meraki now, on the site-to-site VPN firewall or the "normal" firewall. It's both on the Meraki MX

I'm going to call the support

Fabian1

Answer from support:

When MX matches the local internet breakout rule for the traffic, it sends it outbound locally via WAN and not via Site-to-site VPN. This means that the outbound firewall rules will be considered (Security & SD-WAN → Firewall page), not the S2S VPN rules (Security & SD-WAN → Site-to-site VPN page).