Meraki

Community

Deny Local LAN in Wireless Firewall doesn't work

JayInJersey
New here
‎Oct 18 2017 7:47 AM
‎Oct 18 2017 7:47 AM

Deny Local LAN in Wireless Firewall doesn't work

I'm able to ping any location on my WIRED network from a device solely on this SSID.

 

According to my limited knowledge of this networking page, that says the only location on the LAN that should be accessible is the Copier.

 

Anyone have any thoughts to this?

 

MerakiFirewall.JPG

 

I have a support case open as this is a MAJOR security issue if this setting doesn't actually do anything.

0 Kudos
10 Replies 10
pjc
A model citizen
‎Oct 18 2017 9:19 AM
‎Oct 18 2017 9:19 AM

I'm assuming that Meraki define local lan as RFC 1918, with subnets

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

Presumably you are pinging an IP address in one of the above subnets?

 

I cannot ping a wired device from my wifi client with the same block local lan rule 

In response to pjc
JayInJersey
New here
‎Oct 18 2017 10:35 AM
‎Oct 18 2017 10:35 AM

Yup.  That's the case.  

 

It isn't a rule to the Local LAN, but rather a pre-configured rule for the Private IP networks.

0 Kudos
In response to JayInJersey
Adam
Kind of a big deal
‎Oct 18 2017 11:15 AM
‎Oct 18 2017 11:15 AM

Also one issue I think we experienced with this is if your wireless device is whitelisted it will be exempt from those rules and also any traffic shaping and bandwidth rules.  So what we though twas a security issue was actually only isolated to the whitelisted device we were testing from.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
In response to Adam
WadeAlsup
A model citizen
‎Oct 18 2017 11:31 AM
‎Oct 18 2017 11:31 AM

Hi @JayInJersey

 

I agree with @Adam, double check group policies wherever they are assigned and remember the hierarchy outlined in Meraki's Documentation


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
0 Kudos
In response to WadeAlsup
JayInJersey
New here
‎Oct 18 2017 11:46 AM
‎Oct 18 2017 11:46 AM

Once I made specific rules for the Local Subnets (they are not Private IP schemed networks) traffic was blocked.

So that basic rule isn't useful if you don't use Private IP networks schemes on the Local LAN.

 

I didn't know that about the Whitelisting though...that's unfortunate

 

 

Always seems to be something with these Meraki's

 

0 Kudos
In response to JayInJersey
Adam
Kind of a big deal
‎Oct 18 2017 12:07 PM
‎Oct 18 2017 12:07 PM

@JayInJersey so you have public IP's on the LAN side?  Interesting that it still wouldn't enforce it if it acknowledges that it's on the LAN side.  But worst case you should be able to add your own Deny Any rules to that same Layer 3 firewall rule area to prevent access.  A little more work but would accomplish what your going for.  

Capture.PNG

 

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
JayInJersey
New here
‎Oct 18 2017 2:03 PM
‎Oct 18 2017 2:03 PM

Yup.  That's how this network was inherited.

 

And you are correct, once I manually added the networks it blocked the access

 

[Though oddly it didn't flat out block it...but the ping app I was using on my phone reported "Connection prohibited by filter" which is a new one for me]

 

0 Kudos
In response to JayInJersey
Adam
Kind of a big deal
‎Oct 18 2017 2:49 PM
‎Oct 18 2017 2:49 PM

@JayInJersey Glad to hear you at least have a workaround 🙂

 

And strange on that connection prohibited by filter error.  I've never saw that before.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 18 2017 11:26 AM
‎Oct 18 2017 11:26 AM

@JayInJersey that should block access to any other thing on your wired network.  Is there any chance the client has a group policy applied?

0 Kudos
Mr_IT_Guy
A model citizen
‎Oct 18 2017 11:47 AM
‎Oct 18 2017 11:47 AM

Is this network setup in a full-tunnel or split-tunnel configuration?

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.