Thanks for the quick reply.
I know I can create an outbound firewall rule in the main Firewall location (Advanced → Firewall Access Rules) that can block traffic based on (1) Any Address, (2) Single Address, (3) Network, (4) MAC Address, (5) Grouped Network. Ordinarily, I would create a separate VLAN and map the SSID to that VLAN and then create a firewall rule to block WAN traffic for the IP range of that VLAN. Unfortunately, due to the need to use some apps/software that are pretty dumb and can’t seem to find devices on a different IP subnet, putting the devices in question in a separate VLAN won’t work.
I cross-posted in the other thread (Surf SOHO Firewall Mode in SSID Settings - #15 by sitloongs) because I don’t understand exactly how the Firewall Settings on the SSID screen work and whether that might be a solution (by selecting “Lockdown - Block all except…” and then creating an exception rule specifying the IP address and mask corresponding to my LAN IP range). (Sorry if cross-posting is discouraged.)
This is what I’m looking at:
Alternatively, if I turned on the “Access Control Settings” and selected “Deny all except listed”, would that prevent a device that randomly rotated its MAC address from connecting if it changed its MAC address (or if it changed its MAC address after connecting, would the connection be maintained somehow)? Do the event logs show if a device tries to connect but is denied based on the Access Control Settings, so that I could see the MAC address that was used? … That wouldn’t be an ideal solution, but at least it would let me assign a static IP address to the device and then created inbound/outbound firewall rules for that IP address without worrying that the device would connect and be assigned a different IP address.
Thanks!