I am looking to block access to specific devices on my network using their MAC addresses. But I want this device to be accessible on internal network. I configured the firewall rule using Src IP addresses, and it works. But when I switch to Src MAC address, the firewall rule does not seem to work.
I’ve googled this topic before posting this question and experimented with various commands.
Here’s the command I’m using to add firewall rule
add action=drop chain=forward comment=\
"Blcok device from connecting to internet" connection-state=\
established,new,untracked out-interface-list=WAN src-mac-address=\
00:XX:XX:XX:XX:XX
What would be a straight forward way to create a rule for this?
The rule looks about right. I’d skip specifying connection-state (if you don’t specify it, any packet regardless connection state will be subject to rule).
However, make sure this rule is high enough in firewall rule list. Remember, rules are evaluated from top to botzom, first rule matching exevutes (and stops evaluation of lower rules). Also: rule won’t necessarily break existing connections if fast-track is enabled (at least not immediately after rule is created/enabled).
Ok I removed the flags and moved the rule to be one of the first ones and still not working. Note that when I replace the MAC address with the device’s IP address, it works just fine.
Scratching my head here!