Deny Local LAN in Wireless Firewall doesn't work

JayInJersey
New here

Deny Local LAN in Wireless Firewall doesn't work

I'm able to ping any location on my WIRED network from a device solely on this SSID.

 

According to my limited knowledge of this networking page, that says the only location on the LAN that should be accessible is the Copier.

 

Anyone have any thoughts to this?

 

MerakiFirewall.JPG

 

I have a support case open as this is a MAJOR security issue if this setting doesn't actually do anything.

10 REPLIES 10
pjc
A model citizen

I'm assuming that Meraki define local lan as RFC 1918, with subnets

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

Presumably you are pinging an IP address in one of the above subnets?

 

I cannot ping a wired device from my wifi client with the same block local lan rule 

Yup.  That's the case.  

 

It isn't a rule to the Local LAN, but rather a pre-configured rule for the Private IP networks.

Adam
Kind of a big deal

Also one issue I think we experienced with this is if your wireless device is whitelisted it will be exempt from those rules and also any traffic shaping and bandwidth rules.  So what we though twas a security issue was actually only isolated to the whitelisted device we were testing from.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
WadeAlsup
A model citizen

Hi @JayInJersey

 

I agree with @Adam, double check group policies wherever they are assigned and remember the hierarchy outlined in Meraki's Documentation


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

Once I made specific rules for the Local Subnets (they are not Private IP schemed networks) traffic was blocked.

So that basic rule isn't useful if you don't use Private IP networks schemes on the Local LAN.

 

I didn't know that about the Whitelisting though...that's unfortunate

 

 

Always seems to be something with these Meraki's

 

Adam
Kind of a big deal

@JayInJersey so you have public IP's on the LAN side?  Interesting that it still wouldn't enforce it if it acknowledges that it's on the LAN side.  But worst case you should be able to add your own Deny Any rules to that same Layer 3 firewall rule area to prevent access.  A little more work but would accomplish what your going for.  

Capture.PNG

 

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Yup.  That's how this network was inherited.

 

And you are correct, once I manually added the networks it blocked the access

 

[Though oddly it didn't flat out block it...but the ping app I was using on my phone reported "Connection prohibited by filter" which is a new one for me]

 

Adam
Kind of a big deal

@JayInJersey Glad to hear you at least have a workaround 🙂

 

And strange on that connection prohibited by filter error.  I've never saw that before.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

@JayInJersey that should block access to any other thing on your wired network.  Is there any chance the client has a group policy applied?

Mr_IT_Guy
A model citizen

Is this network setup in a full-tunnel or split-tunnel configuration?

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels