TZ-370; Block Internet Traffic for Certain MAC Addresses
TZ-370, SonicOS 7.0.1-5111
Long ago, I created an address group that contains a dozen or so MAC addresses of computers.
I also created a fqdn address group of the sites that those PCs are allowed to go to.
I created a LAN to WAN rule, Source, the MAC address group, and the fqdn group for Destination, Allow.
I create another LAN to WAN rule, Source, MAC address group, and Any, Deny.
If the traffic is from one of those MAC addresses, and it's one of the sites on the fqdn list, it should be allowed.
If not, it goes on to the next rule, which should deny Internet access.
This worked when I first set it up, but now I have added a MAC address to the group, and the original PCs in the group are still blocked, but the new MAC address can go anywhere it wants.
I have edited and saved the lists in the groups, enabled/disabled the firewall rules, but nothing works.
What am I doing wrong? This should be so simple.
Answers
@ITMgr did you checked the priority of your Access Rules, I'am currently investigating some weird behavior where it seems that Access Rule get shuffled around for no reason, resulting in Drop before Allow situations. But this would probably not explain why the new MAC address is working and the older ones not.
Did you do a Packet-Monitor to verify the traffic matches your configuration? If we are talking wirless devices it might be related to have Private WiFi Addresses configured which hide the original MAC.
--Michael@BWC
Thank you for the reply.
The priority of my access rules are correct. I have an allow rule with my list of MACs, a deny rule with my list of MACs, and then the default allow rule.
When I did a packet capture with the new computer on the MAC list, the firewall allowed the traffic indicating the default allow rule, so it was breezing right by my rules with the MAC lists.
On a whim, I enabled "multi-homed" on the address object, and then to my surprise it started blocking the Internet content as I expected. It does make much sense to me. That PC shouldn't ever have more than 1 IPv4 IP address, but whatever, it's now working as expected.
Thanks again for your reply.