Meraki

whistleblower · ‎Apr 23 2021

Hi all,

During some testing in my Lab, I´ve found out something - in my mind - interessting regarding "Deny Local LAN" setting in the MR Firewall (https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/%27Deny_Local_LAN%27_settings_in_Ci...)

In my opinion that`s not 100% true, because if I´m connected to an SSID (using Bridge-Mode) and I optain an IP-Address from a local LAN in my case 192.168.1.1/24 (Standard-Gateway is a MX Firewall using .254) and the Meraki MR is using 10.10.10.1 as it`s Management IP... regarding the meraki documentation every traffic (exept: DNS and DHCP) destined to 10.0.0.0./8 should be blocked BUT I´m still able to PING (ICMP) the AP on which I´m associated to on it`s Management-IP!

Does anyone of you can tell me if this is a normal behavior and if so, why this is needed or I´m probably facing a BUG?!

what do you think about this?

ww · ‎Apr 23 2021

Sound like a bug. Or they should add icmp to the documentation.. if thats also allowed.

What happens when you add 10.0.0.0/8 manually as first rule?

whistleblower · ‎Apr 23 2021

that’s what I‘ve tried as well, also with an explicit firewall rule - the same issue! 🙂

PhilipDAth · ‎Apr 23 2021

I believe the ACL is applied to traffic going out the APs Ethernet port. It won't affect traffic to the actual AP itself.

Meraki

Community

"Deny Local LAN" setting in the MR Firewall not 100% blocking traffic

"Deny Local LAN" setting in the MR Firewall not 100% blocking traffic