White list MAC Address?


#1

Maybe this is already supported and I’ve just not figured out how to implement it.

What I want is to have a white list of MAC addresses that blocks any traffic through the router (including internal LAN traffic on the same VLAN including the untagged VLAN) from anything not on the white list, even if the device has a static IP address & so never interacted with the routers DHCP service. I realize that even with such a system, that a non-white-listed device with a valid static IP address plugged into a switch would still likely be able to communicate with other devices on that switch since the packets would never get passed up to the router.

I’m basically trying to slow down, if not stop, users just figuring out what IP addresses might not be assigned, giving their new toy that static IP address, and just plugging their toy into the network. I’m running a Surf SOHO.


#2

Hi,

Defining Firewall --> Access Rules using MAC address will help for your case ?


You can deny all traffics using the firewall rules and allow only define MAC address ?

Internet traffics:
Outbound Firewall Rules

**InterVLAN traffics **
Internal Network Firewall Rules

Thank You


#3

I don’t think that would work, as the internal rules only take effect when packets move between VLANS. Those rules don’t take effect between communications within the same VLAN.

Also, even if the internal rules took effect without the need to cross VLANS, setting the default rules to “deny” and then have to implement a separate MAC based “allow” for each device is pretty awkward & onerous from a admin interface standpoint. A white list system similar to the SSID Access Control Settings would be much better.


#4

Hi mjburns,

Are you referring to the feature similar to Sticky MAC Addresses blocking ?


http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/port-security-persistent-mac-learning.html
https://www.freeccnaworkbook.com/workbooks/ccna/configuring-sticky-switchport-security

This feature should be enable at the switch level to block devices connect to the network. If the device MAC address is allowed, layer 3 routing traffics will be routed to the Surf SOHO for the Internet/InterVLAN Traffics blocking.

Thank You


#5

Thanks, but I think you are missing the main point. I’m basically trying to slow down, users just figuring out what IP addresses might not be assigned, giving their new toy that static IP address, and just plugging their toy into the small organization network. As a small organization, it uses can only afford consumer grade switches (like Netgear GS108A’s). I’m not concerned that a “white list” at the router won’t stop non-white-listed traffic that stays internal to the network. If I had the budget to go out & buy managed switches, I’d also be using something better than a Surf SOHO as the router. But as I said, setting a firewall rule for each MAC address is pretty onerous.

I suppose the equivalent to what I’m asking is to amend the present firewall interface to allow lists of MAC addresses in one rule, rather than the present interface which requires one rule per MAC address.


#6

We target to support firewall rule with IP group in v6.4.0. We just submit this request to production team. Hopefully, MAC address group can be supported too. Please stay tuned with us!


#7

That would be great if it would accept a list, as MAC Addresses on a network are pretty random. Blocking a MAC Address range isn’t as useful.