Layer 3 Firewall rules provide an administrator granular access control of outbound client traffic. With the MR series, outbound traffic refers to client traffic originating from the wireless network that is destined for the wired LAN or Internet. On the MX, outbound traffic refers to traffic originating from one VLAN that is destined for another VLAN or traffic originating from the LAN that is destined for the Internet or a remote network that is located over a static LAN route. This article discusses how to use Layer-3 Firewall rules on MR series access points, MX Security Appliance or Z1 Teleworker gateway.
A layer 3 firewall rule on the MX or Z1 can be based on protocol, source IP address and port, and destination IP address and port. Layer 3 firewall rules on the MR can be based on destination address and port. Dashboard presents the rules in numeric order, they are evaluated from top to bottom beginning with rule number 1. The first rule that matches is applied, and subsequent rules are not evaluated. If no rules match, the default rule (allow all traffic) is applied.
An explanation of the fields in a Layer-3 firewall rule are shown below.
Use Case 1: In the example below we want to block all IP traffic originating from network 10.0.0.0/8 that is destined for network 192.168.1.0/24. However, we do not want to block traffic originating from network 192.168.1.0/24 that is destined for 10.0.0.0/8 or block either network from accessing other remote networks such as the Internet.
Based on the rules shown below, any traffic originating from the 10.0.0.0/8 network destined for the 192.168.1.0/24 network matches rule 1 which is evaluated first. Because the "Policy" for this rule specifies a "Deny" action, the firewall will block all traffic when the rule is hit. The second rule evaluated which is the default rule, enforces an implicit allow all. All other traffic will match this rule. Hosts on either network can send data to any other remote network.
Note: When selecting “ANY” from the Protocol menu, the choice for Src port and Dst port become grayed out because this setting matches all IP traffic.
Use Case 2: In the example below we want to allow any host in the network 10.0.0.0/8 to access a web server 192.168.1.254 that is listening on TCP port 80. However, we want to block any other outbound traffic from hosts in 10.0.0.0/8 or host 192.168.1.254.
Based on the rules shown below, traffic originating from any host on the 10.0.0.0/8 network that is destined for web server 192.168.1.254 on TCP port 80 is allowed. When the local host communicates with a service on a remote host, it normally picks an ephemeral source port and sends traffic to port used by the service on the remote host. This is why the source port in this rule is set to "Any." Because there is an implicit allow rule processed last and we want to perform a "Deny" action on all other outbound traffic from hosts on the 10.0.0.0/8 network and the web server, a deny all rule is required. This rule needs to be evaluated right after rule 1. Because the firewall is stateful, replies from the web server to hosts on the 10.0.0.0/8 network are allowed the bypass the deny rule due to the the connection is already being established. The deny will rule which is processed second will match all other traffic besides traffic to the web server.
Note: Cisco Meraki firewalls implement an inherent Allow All rule which can't be modified and is the last rule processed. Firewall rules are processed from the top down.