only site to site auto vpn and block internet usage

Here to help

only site to site auto vpn and block internet usage

How can I create site to site auto vpn between mx84 and mx64 but user can only access vpn and do not access internet.

1 Reply 1
Kind of a big deal

If I understand correctly you don't want your users to be able to access the internet, but you do want them to be able to reach out to the local subnets and the subnets of the other sites participating in the Site-to-Site VPN.


  • Close of the regular firewall in Firewall & SD-WAN > Firewall > Outbound Firewall by adding a Deny all rule.
  • And if needed, add allow rules for the local subnets of the site so communications between local VLANs for which the MX is routing will still work.
  • Then in Firewall & SD-WAN > Site-to-Site VPN there's another set of firewall rules for inbound and outbound traffic going over the site-to-site VPN tunnels, but these are open by default so that communication should already take place.

That's about it imo (I haven't tested this).


That should do the trick imo.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.