Hi everyone,
I'm just wondering what firewall rules (VPN or basic layer 3) are used when you define destinations, that are not going over the 0.0.0.0/0 default 3rd party VPN tunnel.
I configured local internet breakout for the Meraki cloud connect and I'm not sure if I still have to add the Meraki ports in the VPN firewall or the firewall for internet traffic, or maybe both... Couldn't find the documentation here...
Thank you
Solved! Go to solution.
Answer from support:
When MX matches the local internet breakout rule for the traffic, it sends it outbound locally via WAN and not via Site-to-site VPN. This means that the outbound firewall rules will be considered (Security & SD-WAN → Firewall page), not the S2S VPN rules (Security & SD-WAN → Site-to-site VPN page).
There are two firewalls on the MX, the site-to-site vpn outbout firewall and the firewall under configuration.
For vpn traffic, you have to configure the vpn firewall
No, I have one MX
On that on MX I have configured a default route to a 3rd party vpn.
But I don't want the Meraki Cloud traffic (switch, access point behind the mx) being routed to the tunnel, that should go directly to the internet. I configured that under VPN Local Breakout.
Now I have to allow that traffic on Site-to-site outbound firewall or/and the layer 3 outbound firewall. Where do I have to configure that?
If you don't want traffic from these devices to go through the tunnel, why don't you configure the VPN Exclusion Rules?
I did that...
My question is, on which firewall I have to do the rules for the traffic to Meraki now, on the site-to-site VPN firewall or the "normal" firewall. It's both on the Meraki MX
I'm going to call the support
Answer from support:
When MX matches the local internet breakout rule for the traffic, it sends it outbound locally via WAN and not via Site-to-site VPN. This means that the outbound firewall rules will be considered (Security & SD-WAN → Firewall page), not the S2S VPN rules (Security & SD-WAN → Site-to-site VPN page).