Group Policy Firewall blocking DHCP

Solved
Adrian4
Head in the Cloud

Group Policy Firewall blocking DHCP

Hello,

 

Having a bit of an odd issue.

 

I am setting up a group policy for a identity PSK SSID which is supposed to block all open internet traffic, leaving it with just internal network access.

 

Using layer 3 rule, I have a Deny Any rule at the bottom of the list and then I tried to add Allow Rules for the various servers in the network that are required - however when I connect to the SSID I cant contact any DHCP and I get a 169 address.

I added an Allow rule that should allow the entire network 10.0.0.0/8  but I still cant access the DHCP server.
If I delete the Deny rule and try again - everything works, I get a proper IP etc.

Put the Deny rule back, and it all stops working. I know the rules apply top down but I swapped the deny and allow rules around just in case, didn't work either.

What's going on?!?

1 Accepted Solution
Adrian4
Head in the Cloud

SORTED IT!! it was the broadcast address lol 255.255.255.255

View solution in original post

14 Replies 14
Adrian4
Head in the Cloud

I removed the deny rule and connected, then did an IP config to check the DHCP server address and it is definitely in the 10.0.0.0/8 range

ww
Kind of a big deal
Kind of a big deal

What ip is the default gateway of you client? (When the deny  any is removed)

Adrian4
Head in the Cloud

within the 10. range

ww
Kind of a big deal
Kind of a big deal

I would take a packet capture to see what is blocked. AP Capture of the wifi side and the lan side

Adrian4
Head in the Cloud

Good idea, I took a capture from our APs but unfortunately cant see much. I can see it associate with the AP and some multicast stuff but nothing like a smoking gun.

I added 169.0.0.0/8 and some multi cast ones like 224 and 239 out of desperation but they didnt help.

In meraki dashboard I can see the client getting lots of DHCP error - client reaches out by DHCP server does not respond.

Adrian4
Head in the Cloud

SORTED IT!! it was the broadcast address lol 255.255.255.255

alemabrahao
Kind of a big deal
Kind of a big deal

Are you using Meraki DHCP? Have you trie to allow DHCP ports (67 and 68)? Have you tried with Bridge Mode for Client IP Assignment?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

the DHCP is a separate server. It is using bridgemode.

 

There is an Allow Any 10.0.0.0/8 rule - that IP range is the entire network.

It works fine if i remove the deny rule.

alemabrahao
Kind of a big deal
Kind of a big deal

Can you share your Group policy configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

Adrian4_0-1678883423106.png


VLAN tagging is enabled

alemabrahao
Kind of a big deal
Kind of a big deal

As I said these rules are stateless, so try the opposite, create a deny for the most specific things you intend to block and then leave the allow at the end.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

I need to block all open internet access, while keeping internal network access (multiple VLANS) available.

alemabrahao
Kind of a big deal
Kind of a big deal

I'm not sure if this config will work. @GreenMan any idea?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

 Layer 3 firewall rules are stateless when configured within Meraki Dashboard group policies.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels