Skip to main content

 

Cisco Meraki Documentation

'Deny Local LAN' settings in Cisco Meraki MR firewall

Overview

The 'Deny Local LAN' function located under Wireless> Configure > Firewall & traffic shaping blocks access from Wireless clients on specific SSIDs to the Local LAN. For the purposes of this firewall rule, Local LAN is described as any destination IP address within RFC1918 private address spaces:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

Note: When creating networks, the first SSID is auto-created using the Network's name. The default configuration of the SSID will be NAT mode (Wireless > Configure > Access Control > Client IP and VLAN) and a Deny Local LAN rule will be active (Wireless > Configure >  Firewall & traffic shaping > Outbound rules).

If you intend to use the auto-created SSID for internal LAN clients ensure to change the Layer 3 firewall rule to Allow Local LAN. Neglecting to do so will prevent clients from communicating with internal resources including RADIUS servers.

A common usage for this would be the "guest SSID" scenario. Changing the Policy for traffic destined to the Local LAN from Allow to Deny prevents clients on the Guest SSID from accessing the LAN but still allows connections to the Internet. This feature can be used in both Bridge Mode and NAT Mode.

MR Wireless Layer 3 Local LAN Deny Rule

1. Navigate to Wireless > Configure > Firewall & traffic shaping

2. Select the SSID

3. Change the Policy for the row with Destination as Local LAN from Allow to Deny

4. Click Finish Editing and then Save Changes at the bottom of the page.

If the clients on this SSID need connectivity to other subnets within RFC1918 private address spaces, then you will need to configure an Additional Layer 3 firewall rule to allow traffic to that subnet and order it above the Local LAN rule.

Note: DNS and DHCP traffic is exempt from this rule. If the SSID is in NAT mode, only DNS traffic is exempt since the AP acts as a DHCP server for connecting clients.

Additional Layer 3 Firewall Rules

You can create additional Layer 3 firewall rules to Allow or Deny specific network traffic flow from SSID clients to LAN subnets within RFC1918 private address spaces.

The rules have fields and all are mandatory: Policy, Protocol, Destination, and Port number must be defined. You can use "Any" like a wildcard (" * ") when you don't know the exact value. The example below shows a rule allowing clients to access a HTTP Web Server (TCP 80) within 10.10.10.1 up to 10.10.10.254.

MR Wireless Layer 3 Firewall Additional Rule

1. Click Add a layer 3 firewall rule

2. Specify Policy, Protocol, Destination and Port Number

3. Click Finish Editing and then Save Changes at the bottom of the page.

  • Was this article helpful?