Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 1560 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall rule with mac-host destination does not work

nd

Hello again,

experiences with XG are splitten between "hm k" and "wtf", only view things which seems to be really better.

First thing (opinions are different here), its a shame that you cannot define hosts with IP and MAC in the same object, also the fact that it is only possible to define a "mac host" object with the option "mac list" where you have to enter ALL damn MACs, unsorted, horrible view and editing... why not like "ip hosts", where you can add ip-hosts as a group, same for "mac host group" with adding the "mac hosts"?

OK, now the problem from topic / title: when creating a firewall rule like following, it does not work - nothing can been seen in log viewer:

ALLOW: source zone: wlan2, source network: mac-host-X, destination zone: lan2, destination network: mac-host-Y

source host is dyn ip, destination host has additionally an dhcp reservation (next crappy conifiguration, the dhcp reservations).

The rule only works if I add a separate IP-host-Y to the rule for the host-Y.

OK, rules for firewall and webfilte seems to work when source-hosts are defined as IP-host and/or as mac-host. Right? So some tests suggested that.

Why not in destination?

Is that a "feature" or a bug?

Thx in advice



This thread was automatically locked due to age.
Parents
  • 0

    Which wireless solution do you use? Because essentially you could screw this entire conversation and go towards a authentication method. 

    With a Wireless Solution, Radius SSO would be possible: https://support.sophos.com/support/s/article/KB-000038858?language=en_US This would give you the option, each client in WPA2 Enterprise is an Authenticated User in SFOS, so you could simply use the User Firewall Rule instead. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thx.

    So you mean an implementation in AD for the whole XG inlcuding WLAN would be solve the "user problem" with MAC, IP and whole "object" topic?

    And does this solve the firewall rule problem with mac-object?

    The device is used in a non-active-directory environment, wlan simply sophos apx accesspoints and  wpa2 auth and for guests a captive portal hotspot.

    Regards, Andy.

  • 0 in reply to nd

    I was never the fan of mac filter in the first place, so never used it: What is the use case of this kind of implementation? What do you try to achieve? 

    Do you want to split guest and your own devices? Why not using two different SSIDs? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    use case are clients without double definition of mac-host and ip-host, also no dhcp reservation which should access (from and in another  "vlan" and subnet) several hosts from WLAN2 (for example the ubiquiti protect appliance in LAN2). i thought it would be better and more safe (not to override rules / webfilter) to define firewall rules and webfilter mac adress bound in case of manual changing ip address.

    there are two wired LANs / subnets defined, further 4 SSIDs (1 of them is bound to primary lan, two of them have its own subnet and the last one is for guests / hotspot).

Reply
  • 0 in reply to LuCar Toni

    use case are clients without double definition of mac-host and ip-host, also no dhcp reservation which should access (from and in another  "vlan" and subnet) several hosts from WLAN2 (for example the ubiquiti protect appliance in LAN2). i thought it would be better and more safe (not to override rules / webfilter) to define firewall rules and webfilter mac adress bound in case of manual changing ip address.

    there are two wired LANs / subnets defined, further 4 SSIDs (1 of them is bound to primary lan, two of them have its own subnet and the last one is for guests / hotspot).

Children
No Data
Unfiltered HTML