I'm able to ping any location on my WIRED network from a device solely on this SSID.
According to my limited knowledge of this networking page, that says the only location on the LAN that should be accessible is the Copier.
Anyone have any thoughts to this?
I have a support case open as this is a MAJOR security issue if this setting doesn't actually do anything.
I'm assuming that Meraki define local lan as RFC 1918, with subnets
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Presumably you are pinging an IP address in one of the above subnets?
I cannot ping a wired device from my wifi client with the same block local lan rule
Yup. That's the case.
It isn't a rule to the Local LAN, but rather a pre-configured rule for the Private IP networks.
Also one issue I think we experienced with this is if your wireless device is whitelisted it will be exempt from those rules and also any traffic shaping and bandwidth rules. So what we though twas a security issue was actually only isolated to the whitelisted device we were testing from.
Once I made specific rules for the Local Subnets (they are not Private IP schemed networks) traffic was blocked.
So that basic rule isn't useful if you don't use Private IP networks schemes on the Local LAN.
I didn't know that about the Whitelisting though...that's unfortunate
Always seems to be something with these Meraki's
@JayInJersey so you have public IP's on the LAN side? Interesting that it still wouldn't enforce it if it acknowledges that it's on the LAN side. But worst case you should be able to add your own Deny Any rules to that same Layer 3 firewall rule area to prevent access. A little more work but would accomplish what your going for.
Yup. That's how this network was inherited.
And you are correct, once I manually added the networks it blocked the access
[Though oddly it didn't flat out block it...but the ping app I was using on my phone reported "Connection prohibited by filter" which is a new one for me]
@JayInJersey Glad to hear you at least have a workaround 🙂
And strange on that connection prohibited by filter error. I've never saw that before.
@JayInJersey that should block access to any other thing on your wired network. Is there any chance the client has a group policy applied?
Is this network setup in a full-tunnel or split-tunnel configuration?