This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking access to LAN, from a specific MAC that's connected via WIFI (APX)

Hello everyone,

I have a Sophos XG firewall, and an APX320 access point.  The access point is in "Bridge AP to LAN" mode.

At the network level, Port 1 is the LAN (which goes to a switch), Port 2 is the WAN.

I am adding a computer to the network that will connect through this access point.  I was hopeful to allow it to access WAN, but completely isolate it from the LAN.

Unfortunately, any rules that I set to drop/reject traffic from this MAC address, for example:

Source: Any zone, "The MAC address"
Destination: Any zone, Any host
What: Any service

Do not successfully drop local packets.

How can this be achieved?

Thank you!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Is this drop traffic rule on top of all the firewall rules? I'd suggest you run a packet capture to identify the firewall rule for this traffic. 

    Is there any specific reason why you bridge the wireless network to LAN? If you want to isolate wireless devices from the LAN network, configure a separate zone wireless network. 

    Thanks,

  • Thanks Harsh!

    Yes, the rule is at the very top and is not being fired.

    So far it was bridged because it met requirements, and was the easiest road; to date, I didn't want to segregate wireless devices.  With this new requirement, I need to segregate just one.

    The scenario, is a contractor that connects via WIFI that should not be permitted to access local stores (database servers, internal web services, etc.).  They should, however, have Internet access.  

    Likewise, existing employees on WIFI should not be segregated from local stores.

  • Hi,

    you need to change your rule to be source zone LAN, MAC address, destination WAN, ANY, any service.

    Maybe even refine the source network and create you device as a clientless user and then add to aoow users.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian, thanks for your response.

    I'm having trouble computing what you're trying to communicate though.  I'm trying to permit WAN, but drop LAN.

    With these rules, the computer can access the WAN __and__ the LAN -- which is not the outcome I would have expected:

    Rule 1: Source LAN + MAC, Destination WAN Any --> ALLOW

    Rule 2: Source LAN + MAC, Destination LAN Any --> DROP

    To add detail, I want for this computer to be able to visit google.com, but not access any IP address on the LAN (such as 192.168.168.1).

  • The rule should be

    source zone lan, network your local network

    destination wan, any, any service, log.

    use clientless users to limit which devices can access that firewall rule. The settings will only work on traffic that reaches the firewall.

    But not stop or control it. You will also need to implement SSID isolation as well. Further you would need to disable discovery on all the PCs on that network.

    The above will not work very well when there is a switch involved because it will pass the traffic before it gets to the firewall.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.



    refined the details.
    [edited by: rfcat_vk at 8:57 AM (GMT -7) on 1 Aug 2021]