Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Random Mac Addresses

Is there a way on a TZ570 firewall to be able to stop Random Mac Addresses from receiving an IP address from the built in DHCP server? I can't figure out who or what is connected to see who is using too much bandwidth at times and or assign reservations to IP addresses when needed as the MAC addresses keep changing.

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    AFAIK this is not possible with the Sonicwall DHCP server.

Answers

  • MustafaAMustafaA SonicWall Employee

    @RTtcv , have you checked the following KB article?

    How To Restrict traffic from only selected MAC addresses using MAC-IP Anti-Spoof Protection

    https://www.sonicwall.com/support/knowledge-base/how-to-restrict-traffic-from-only-selected-mac-addresses-using-mac-ip-anti-spoof-protection/170505994576762/

  • RTtcvRTtcv Newbie ✭

    Thank you for the link and I will see if it will work to stop devices from giving out a random mac address and getting an ip address assigned. I'm trying to keep our guest database from getting out of hand as people will register the same device with a completely different mac address when they visit us and put their device on our guest network. It would work similar to a deny list to get an IP address from the firewall based on the suffix of a MAC address. I can perform a filtering on a windows DHCP server and get the same results. Basically looking for a DHCP filter like a windows DHCP server filter that I can use shortened mac addresses to deny devices access to get an IP address from the DHCP server if they are using a device with a random mac address. If you want a screen shot send me an email and I will show you what I am talking about. Windows servers have been able to do this for 20 years now.

  • RTtcvRTtcv Newbie ✭

    Thanks for the answer. I'll be looking to another brand in the future. Random access macs are ok for public areas but being unable to perform a basic deny/allow as a DHCP server option that's been available on Windows servers for more than 20 years now on the corporate/vendor/guest wireless network is kind of important. I know I can slow them down based on VLAN/SSID but being able to keep them from connecting and blowing up a guest database is also important to me in my situation as well as providing priority connectivity for all wirelessly connected devices.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    I dont know of a full implementation of this feature on other common non-Cisco firewall vendors.

  • RTtcvRTtcv Newbie ✭

    PFsen** firewalls have this capability under the DHCP scope options. I'm going to check with an engineer at Palo Al** and see if they also have it. Mera*i's/Cisco have had this capability.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    I've never touched PFSense or Palo so pardon my lack of information.

  • RTtcvRTtcv Newbie ✭

    I may need to switch wireless vendors to Meraki for guest wifi areas as I can apply not allowing random access macs per SSID.

    Here's instructions for a PFSense firewall or a Netgate firewall which is a pfsense box.

    Go to Services --> DHCP Server

    Scroll down to MAC Deny.

    Paste this in:

    A2,B2,C2,D2,E2,F2,12,22,32,42,52,62,72,82,92,02,A6,B6,C6,D6,E6,F6,16,26,36,46,56,66,76,86,96,06,AA,BA,CA,DA,EA,FA,1A,2A,3A,4A,5A,6A,7A,8A,9A,0A,AE,BE,CE,DE,EE,FE,1E,2E,3E,4E,5E,6E,7E,8E,9E,0E

    This link is for Windows DHCP server: How to Enable and Configure DHCP MAC Address Filtering - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com) and characters can be substituted with wild cards. Like A2--**-**-**_

    These instructions don't block a device from spoofing another devices MAC, it keeps the device from getting an assigned DHCP address from the authorized DHCP server on the network/VLAN.

  • A_ElliottA_Elliott Enthusiast ✭✭

    @RTTCV


    What do you do about nearly all modern phones/tablets generating a random MAC every time they connect to a network?

  • RTtcvRTtcv Newbie ✭

    @A_Elliott I currently have no way to stop them from connecting with a random MAC and getting a DHCP address. I like the control that Meraki has per SSID. The BYOD devices all log into a VLAN that is separate from everything else but the guest network has a login portal that captures and logs the MAC addresses of every device that authenticates to a users account. Looking at some of the accounts in my guest portal application the accounts have more than 10 devices associated to their account depending on how frequently they connect to the guest network/portal.

  • A_ElliottA_Elliott Enthusiast ✭✭

    Right, but that could just be one device that randomizes its MAC address every time it connects to the network.

  • RTtcvRTtcv Newbie ✭

    @A_Elliott No that's by default on BYOD devices now. Even my phone which was set to use the phones MAC address switched to random mac addresses.

Sign In or Register to comment.