Meraki

Community

Group Policy Firewall blocking DHCP

Solved
Adrian4
Head in the Cloud
‎Mar 15 2023 2:00 AM
‎Mar 15 2023 2:00 AM

Group Policy Firewall blocking DHCP

Hello,

 

Having a bit of an odd issue.

 

I am setting up a group policy for a identity PSK SSID which is supposed to block all open internet traffic, leaving it with just internal network access.

 

Using layer 3 rule, I have a Deny Any rule at the bottom of the list and then I tried to add Allow Rules for the various servers in the network that are required - however when I connect to the SSID I cant contact any DHCP and I get a 169 address.

I added an Allow rule that should allow the entire network 10.0.0.0/8  but I still cant access the DHCP server.
If I delete the Deny rule and try again - everything works, I get a proper IP etc.

Put the Deny rule back, and it all stops working. I know the rules apply top down but I swapped the deny and allow rules around just in case, didn't work either.

What's going on?!?

Labels:
0 Kudos
1 Accepted Solution
In response to Adrian4
Adrian4
Head in the Cloud
‎Mar 15 2023 9:49 AM
‎Mar 15 2023 9:49 AM

SORTED IT!! it was the broadcast address lol 255.255.255.255

View solution in original post

14 Replies 14
Adrian4
Head in the Cloud
‎Mar 15 2023 2:06 AM
‎Mar 15 2023 2:06 AM

I removed the deny rule and connected, then did an IP config to check the DHCP server address and it is definitely in the 10.0.0.0/8 range

0 Kudos
In response to Adrian4
ww
Kind of a big deal
Kind of a big deal
‎Mar 15 2023 6:07 AM
‎Mar 15 2023 6:07 AM

What ip is the default gateway of you client? (When the deny  any is removed)

0 Kudos
In response to ww
Adrian4
Head in the Cloud
‎Mar 15 2023 6:11 AM
‎Mar 15 2023 6:11 AM

within the 10. range

0 Kudos
In response to Adrian4
ww
Kind of a big deal
Kind of a big deal
‎Mar 15 2023 7:11 AM
‎Mar 15 2023 7:11 AM

I would take a packet capture to see what is blocked. AP Capture of the wifi side and the lan side

0 Kudos
In response to ww
Adrian4
Head in the Cloud
‎Mar 15 2023 9:41 AM
‎Mar 15 2023 9:41 AM

Good idea, I took a capture from our APs but unfortunately cant see much. I can see it associate with the AP and some multicast stuff but nothing like a smoking gun.

I added 169.0.0.0/8 and some multi cast ones like 224 and 239 out of desperation but they didnt help.

In meraki dashboard I can see the client getting lots of DHCP error - client reaches out by DHCP server does not respond.

0 Kudos
In response to Adrian4
Adrian4
Head in the Cloud
‎Mar 15 2023 9:49 AM
‎Mar 15 2023 9:49 AM

SORTED IT!! it was the broadcast address lol 255.255.255.255

alemabrahao
Kind of a big deal
‎Mar 15 2023 4:26 AM
‎Mar 15 2023 4:26 AM

Are you using Meraki DHCP? Have you trie to allow DHCP ports (67 and 68)? Have you tried with Bridge Mode for Client IP Assignment?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Mar 15 2023 4:40 AM
‎Mar 15 2023 4:40 AM

the DHCP is a separate server. It is using bridgemode.

 

There is an Allow Any 10.0.0.0/8 rule - that IP range is the entire network.

It works fine if i remove the deny rule.

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
‎Mar 15 2023 4:50 AM
‎Mar 15 2023 4:50 AM

Can you share your Group policy configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Mar 15 2023 5:31 AM
‎Mar 15 2023 5:31 AM

Adrian4_0-1678883423106.png


VLAN tagging is enabled

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
‎Mar 15 2023 6:22 AM
‎Mar 15 2023 6:22 AM

As I said these rules are stateless, so try the opposite, create a deny for the most specific things you intend to block and then leave the allow at the end.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Mar 15 2023 6:34 AM
‎Mar 15 2023 6:34 AM

I need to block all open internet access, while keeping internal network access (multiple VLANS) available.

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
‎Mar 15 2023 7:01 AM
‎Mar 15 2023 7:01 AM

I'm not sure if this config will work. @GreenMan any idea?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
‎Mar 15 2023 4:52 AM
‎Mar 15 2023 4:52 AM

 Layer 3 firewall rules are stateless when configured within Meraki Dashboard group policies.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.