Is there any way to have an Address List that is based on MAC address rather than IP Address? I have users that are frequently out of office and can connect from a variety of locations (their home, the mobile WIFI hotspots, hotels, etc.) and I want to create the ability to allow their traffic without manually updating the address lists each time they get a new IP.
When I say “allow their traffic”, I’m referring to a specific port on the firewall that I want to redirect for some VPN users but not others. I’d rather not set up a new pool if I don’t have to.
Even if they did, it wouldn’t matter though because…
The MAC address is only available on directly-connected network segments. If you want to allow remote users to reach your router for VPN, then only the IP address is available to the router filters for consideration. Do a packet capture on the connections. You’ll find that the MAC address on all incoming packets from the Internet will be the same MAC address - that being your ISP’s router’s MAC address. It’s like flying when you have one or more layovers (like hops in IP routing) - after each hop, you’re on a different airplane. The airplane’s tail number would be analogous to a MAC address, and the passenger would be analogous to the IP packet. The destination airport cannot uniquely identify you based on the tail number of the airplane. Your home airport could identify you by the license plate number on your car, though - which is like filtering your own local computers based on MAC addresses…
If you want to do more port filtering, but allow clients to reach the VPN, you could implement a port knocking scheme. Port knocking allows you to block the VPN ports except for those clients which have first given the proper knock sequence. There are some Wiki articles on port knocking if you’re interested.
I’ve never spent much time with ROS and road warrior VPN setup, so I don’t know if it’s supported or not, but you could also look into implementing client certificates as an additional requirement to enhance the security of the VPN, and skip the port filtering.