So here is a list of vlans I have. I need to keep them all from talking to each other but still access the internet. What's the most efficient way to accomplish this?
Do they need to talk to other devices on the same subnet?
You could play around with some deny statements and try to summarize the subnets.
there is 1 printer that they all need to talk to but i think that could be handled by a single allow statement.
Create a group policy and apply it directly to the VLAN.
In that group policy create layer 3 firewall rules denying access to the other VLANs. Depending on what the VLAN needs to talk to, you might be able to just block access to 10.0.0.0/8 and 192.168.1.0/24.
If you want to do this on the MX, I'd suggest first add your printer access rule. Then just add rules to block all LAN access for 10.0.0.0/19, 172.16.0.0/12, 192.168.0.0/16
Also, I did have to deny Local LAN access on the MR access points firewall to block communication between clients on the same VLAN. Just set "Deny - Any - Local LAN" on the L3 firewall rules. You can also enable L2 LAN isolation (not sure if that's still beta).
So here's a question:
you think its less resource intensive to implement group policies rather than a bunch of firewall rules?
I humbly submit the following as my solution to this problem:
The parts that are cut off are "10.0.0.0/8,192.168.0.0/16" in both the Source and Destination fields. This single line ACL will prevent all of your subnets from talking to each other, while allowing all your subnets to talk to the Internet.
>you think its less resource intensive to implement group policies rather than a bunch of firewall rules?
I'm not sure it makes any difference to resource utilisation - but it is much easier to manage. You have one place to look at understand all the firewall rules acting on the VLAN.
If you end up with 10 VLANs and firewall rules for each and you try and use the global rules - it becomes a nightmare to make changes.
Meraki OS is a Linux based derivative. The Linux kernel has two major firewall filtering engines. I suspect bpfilter may be used, but this is a pretty deep kernel layer concept and most people configuring Linux firewall rules would not be aware of.
bpfilter itself compiles the rules presented to it, and the concept of how you configuring firewall rules as to how the kernel processes them is far removed. If everything is using bpfilter then weather you are using "vlan" or "global" based firewall rules is simply a GUI concept and bares no relation to how the kernel is processing those rules. I suspect the resource usage would be almost identical based on this.
wouldn't this block all access on the LAN? even access to the default gateway?
Nope. You cannot block, even with an explicit dedicated rule, traffic to and from the MX IP address itself.
Intra-subnet traffic, i.e. between hosts on the same VLAN, does not transit the MX, and therefore it cannot block it.