"Deny Local LAN" setting in the MR Firewall not 100% blocking traffic

whistleblower
Getting noticed

"Deny Local LAN" setting in the MR Firewall not 100% blocking traffic

Hi all,

 

During some testing in my Lab, I´ve found out something - in my mind - interessting regarding "Deny Local LAN" setting in the MR Firewall (https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/%27Deny_Local_LAN%27_settings_in_Ci...)

 

whistleblower_0-1619178623771.png

In my opinion that`s not 100% true, because if I´m connected to an SSID (using Bridge-Mode) and I optain an IP-Address from a local LAN in my case 192.168.1.1/24 (Standard-Gateway is a MX Firewall using .254) and the Meraki MR is using 10.10.10.1 as it`s Management IP... regarding the meraki documentation every traffic (exept: DNS and DHCP) destined to 10.0.0.0./8 should be blocked BUT I´m still able to PING (ICMP) the AP on which I´m associated to on it`s Management-IP!

Does anyone of you can tell me if this is a normal behavior and if so, why this is needed or I´m probably facing a BUG?!

 

what do you think about this?

 

 

3 REPLIES 3
ww
Kind of a big deal
Kind of a big deal

Re: "Deny Local LAN" setting in the MR Firewall not 100% blocking traffic

Sound like a bug. Or they should add icmp  to the documentation.. if thats also allowed.

 

What happens when you add 10.0.0.0/8 manually as first rule?

whistleblower
Getting noticed

Re: "Deny Local LAN" setting in the MR Firewall not 100% blocking traffic

that’s what I‘ve tried as well, also with an explicit firewall rule - the same issue! 🙂

 

PhilipDAth
Kind of a big deal

Re: "Deny Local LAN" setting in the MR Firewall not 100% blocking traffic

I believe the ACL is applied to traffic going out the APs Ethernet port.  It won't affect traffic to the actual AP itself.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.