Hello,
Having a bit of an odd issue.
I am setting up a group policy for a identity PSK SSID which is supposed to block all open internet traffic, leaving it with just internal network access.
Using layer 3 rule, I have a Deny Any rule at the bottom of the list and then I tried to add Allow Rules for the various servers in the network that are required - however when I connect to the SSID I cant contact any DHCP and I get a 169 address.
I added an Allow rule that should allow the entire network 10.0.0.0/8 but I still cant access the DHCP server.
If I delete the Deny rule and try again - everything works, I get a proper IP etc.
Put the Deny rule back, and it all stops working. I know the rules apply top down but I swapped the deny and allow rules around just in case, didn't work either.
What's going on?!?
Solved! Go to solution.
SORTED IT!! it was the broadcast address lol 255.255.255.255
I removed the deny rule and connected, then did an IP config to check the DHCP server address and it is definitely in the 10.0.0.0/8 range
What ip is the default gateway of you client? (When the deny any is removed)
within the 10. range
I would take a packet capture to see what is blocked. AP Capture of the wifi side and the lan side
Good idea, I took a capture from our APs but unfortunately cant see much. I can see it associate with the AP and some multicast stuff but nothing like a smoking gun.
I added 169.0.0.0/8 and some multi cast ones like 224 and 239 out of desperation but they didnt help.
In meraki dashboard I can see the client getting lots of DHCP error - client reaches out by DHCP server does not respond.
SORTED IT!! it was the broadcast address lol 255.255.255.255
Are you using Meraki DHCP? Have you trie to allow DHCP ports (67 and 68)? Have you tried with Bridge Mode for Client IP Assignment?
the DHCP is a separate server. It is using bridgemode.
There is an Allow Any 10.0.0.0/8 rule - that IP range is the entire network.
It works fine if i remove the deny rule.
Can you share your Group policy configuration?
VLAN tagging is enabled
As I said these rules are stateless, so try the opposite, create a deny for the most specific things you intend to block and then leave the allow at the end.
I need to block all open internet access, while keeping internal network access (multiple VLANS) available.
I'm not sure if this config will work. @GreenMan any idea?
Layer 3 firewall rules are stateless when configured within Meraki Dashboard group policies.