Looking for some additional information regarding the site-to-site firewall rules. Our environment is a relatively standard hub/spoke model: "HQ" as the primary datacenter and connecting to remote sites. All are connected via Meraki MX (no non-Meraki VPN in this case). I want each remote site to access a specific subnet/VLAN and/or hosts at HQ, with all other traffic between the remote sites or other hosts at HQ being denied. Remote sites should not access each other. I built out the allow rules based on this, with the hope of adding a "Deny All" at the bottom of the list to deny all other traffic not explicitly allowed by a rule. However, this does not seem to work. Upon adding the "deny all" rule, the remote sites can no longer access HQ despite the allow rule which should permit the traffic. Example: HQ Subnet: 192.168.1.0/24 Remote Site 1 Subnet: 192.168.2.0/24 Site-to-Site VPN rule: Allow Any (protocol) 192.168.1.0/24 (src) Any (port) 192.168.2.50/32 (dest) Any (port) Site-to-Site VPN rule: Deny Any (protocol) Any (src) Any (port) Any (dest) Any (port) How can this be accomplished with the site-to-site VPN firewall? I read the KB on this, but it's unclear to me. Same result substituting the /32 single host for a /24 subnet. Do I need the opposite rule added as well, to allow traffic both ways? Thanks for helping to get my head around this.
... View more