Meraki

Community

Allowing a few devices with deny local LAN access set on a SSID

DMLUX1
Here to help
‎Aug 14 2024 2:15 PM
‎Aug 14 2024 2:15 PM

Allowing a few devices with deny local LAN access set on a SSID

I want to block local LAN access on an SSID,   I created a rule to allow the printer-wired and on a different VLAN and that works fine but a rule I created to allow a wireless presenting device does not work the device becomes unavailable when I turn on Deny Local Lan.      Is there a way to allow select wireless devices when DENY Local Lan access is enabled?     Setting an allow rule only works for nonwireless devices.      

0 Kudos
4 Replies 4
DMLUX1
Here to help
‎Aug 14 2024 5:53 PM
‎Aug 14 2024 5:53 PM

DMLUX1_1-1723683166181.png

The devices on the SSID will not connect even with the allow rule.  Devices on the switch connect with the allow rule.   

0 Kudos
In response to DMLUX1
Tony-Sydney-AU
Meraki Employee
Meraki Employee
‎Aug 14 2024 7:55 PM
‎Aug 14 2024 7:55 PM

Ok @DMLUX1 , thanks for adding more details.

 

So your wifi devices connected to your SSID need to access the following IP list:

192.168.20.50 (printer)

192.168.21.201 (Keiths Airtame)

192.168.21.122 (Joe V Airtame)

192.168.21.156 (Joe M Airtame)

192.168.21.117 (Philly Airtame)

 

If wifi devices in your SSID are getting IP from Meraki AP (NAT mode) then your MR runs DHCP and does NAT for your wifi device traffic. In this scenario, your wifi devices don't get associated to a VLAN. As a result, there is no solution for you other than redesign your SSID. That's because your AP does NAT and so the wifi devices traffic gets kind of unidirectional - i.e.: wifi devices can initiate a connection to a LAN device but never the opposite way. Most screen-sharing requires BI-directional traffic therefore, this scenario would never work unless you redesign your SSID associating it with a switch VLAN.

 

I'm assuming your printer lives in a switch VLAN (e.g.: VLAN20) and your Airtame devices live in another switch VLAN (e.g.: VLAN21); I'm also assuming your SSID is associated with yet another switch VLAN (e.g.: VLAN100). Am I correct?

 

If my assumptions above are correct, then your Wireless firewall rules are correct and the issue might be related to:

  1. your switch or firewall doing the routing between VLANs has some Access Control List (ACL) denying traffic between these VLANs. So the solution is you add an Allow ACL. MS Switch ACLs are described here. MX Firewall Rules are described in this other Article here.
  2. your wireless screen-sharing relies on some broadcast or multicast kind of network traffic that requires them to be living in the same VLAN. Sometimes We can fix that kind of multicast traffic by allowing it to flood to other VLANs and switches as described here. Other few times you may need to convert Multicast to Unicast.
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Tony-Sydney-AU
Meraki Employee
Meraki Employee
‎Aug 14 2024 6:21 PM
‎Aug 14 2024 6:21 PM

Hi @DMLUX1 ! Thanks for your question here. I noticed your question at the Security & SDWAN Forum but this is a better place to get an answers.

 

I understand you need to block users in an SSID to access local LAN resources but at the same time there is an exception which is your printer connected wired to a different VLAN. Let me know if I missed something.

 

So the answer is quite simple: you can keep the DENY to Local LAN and add a new rule having ALLOW , protocol ANY, IP address of your printer as destination (e.g.:192.168.100.123/32). It should be a /32 because it's a single device. Here's a screenshot for your reference:

Screenshot 2024-08-15 at 11.09.30.png

 

You may want to be more specific and have ALLOW, protocol TCP, IP address of your printer, and then whatever ports your printer needs. For example, I used to have an HP Jetdirect that needed TCP ports 9100 up to 9102:

Screenshot 2024-08-15 at 11.15.58.png

 

Lastly, be sure to read and understand this Meraki Article explaining the Wireless firewall options and the Deny Local LAN features.

 

Hope this information is useful. Looking forward to your input on this.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to Tony-Sydney-AU
DMLUX1
Here to help
‎Aug 14 2024 6:33 PM
‎Aug 14 2024 6:33 PM

Thanks for the reply Tony,  my question was directed to wireless devices on the SSID.   I can not seem to allow those with a rule.     For example, other devices on the SSID are not accessible even with an allow rule.    We have wireless screen-sharing devices and even with an allow rule they are not accessible when Deny Local Lan is selected, only devices that are connected to the switch not other wireless devices on the same SSID.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.