Prevent IP Address Assignment via MAC Addr

Hello busthead ,

Thank you for reaching out to the community, you can create a network defination for the MAC Address [Path: Definitions & users > Network Definitions > MAC Address]
 And then you can use the definition to allow/block !

Vivek Jagad said:

then you can use the definition to allow/block !

Where is the UTM UI is there an option to block by MAC address?

Vivek Jagad said:

It is just the rule action drop/reject with source MAC

Vivek Jagad I created MAC Address Definitions but they don't appear to be a valid firewall rule Source:

hey busthead ,

it can be used to further restrict a rule based on hosts/IP addresses to only match devices which have one of the defined MAC addresses.

So for reference see the screenshot below:
Step1

Step2
Select the Source MAC Address: 
And select the action based on your requirement either allow/drop/reject 

Thanks for clarifying. Unfortunately, specifying their MAC under Advanced didn't prevent the hosts from being assigned an IP address:

either you can put the computer on a vlan/subnet that doesn't have a DHCP server on it. Don't enable DHCP Relay for that subnet and you're fine. Or, just assign a static IP

Vivek Jagad said:

put the computer on a vlan/subnet that doesn't have a DHCP server on it.

Good idea but these are unknown hosts (I can't find them) so I can't change their configuration.

Other than running another DHCP server on the VLAN, is there a way to restrict their MAC addresses to the VLAN on the UTM side?

I created a VLAN:

And a DHCP server on the VLAN interface (Unknown):

Static mappings for the unknown hosts in the Unknown address space:

And they are still receiving an IP address from my production DHCP server:

Blocking hosts shouldn't be this difficult. Ubiquiti can do it with three clicks...

Vivek Jagad said:

either you can put the computer on a vlan

How does one put a computer on a vlan in this context?  He would need to be using a a switch that does mac based vlan assignments (a cheap netgear gs308t does this). I'm not sure how this is possible otherwise if the clients in question are on the same lan segment.

Simply defining a vlan in UTM is insufficient. Client needs to be placed on that vlan by some means - either mac based vlan switch, or vlan definition in the client nic settings. Unless i'm missing something, just defining a vlan in utm does nothing for the above considerations.

Using mac based vlan is quite simple.  Assign client to a undefined vlan - that is a vlan which has no services available. Client will never get an ip, nor be able to access any other part of the lan.

Blocking by firewall isn't optimal either as that doesn't affect other mechanisms such as web proxy, which will allow access.

Toggling Clients with static mappings only in the UTM dhcp server setting achieves what the OP is after, so long as all other connected clients have been defined in UTM. Unknown clients get no dhcp assignment. This is a bit of using a sledge hammer on a picture nail type solution. What happens when a new unknown client is connected.... it won't have any network services.

OP's request seems quite simple, yet there doesn't appear to be an elegant simple solution of literally just not assigning an IP to a matched MAC.

Depending on the size of your network, it may work best to flip the logic and enable the static mappings toggle in the dhcp server. This will effectively assign IP's to defined clients and block all unknown.

Or, perhaps more detail with respect to why you're trying to block these clients?

busthead said:

Good idea but these are unknown hosts (I can't find them) so I can't change their configuration

We do it the other way 'round. Any unknown MAC goes into a quarantaine VLAN wihn no further network or internet access (we use the wireless hotspot for this it also works on wired networks). Better for security.

^^How are you doing this?  What determines the mac going in to the quarantine vlan?

Jay Jay said:

Toggling Clients with static mappings only in the UTM dhcp server setting

Great suggestion, thank you! I will give this a try.

Jay Jay said:

more detail with respect to why you're trying to block these clients?

The hosts are unknown. I'm hoping that blocking them will cause them to cease functioning, revealing which hosts they are, AND to prevent the unnecessary use of my 50 IP address allocation.

Jay Jay said:

Toggling Clients with static mappings only in the UTM dhcp server setting

Great suggestion, thank you! I will give this a try.

Jay Jay said:

more detail with respect to why you're trying to block these clients?

The hosts are unknown. I'm hoping that blocking them will cause them to cease functioning, revealing which hosts they are, AND to prevent the unnecessary use of my 50 IP address allocation.

tThe static mappings option will work then.  In testing, if no other dhcp server (you can have *multiple dhcp servers for the same interface so long as their ip assignments don't overlap) exists for the given interface then the device is not assigned any ip at all and defaults to a 169.xxx which goes nowhere.

I'm using this arrangement to assign specific ip's to known devices, and other ip's within the same subnet to unknown devices.

For known devices:

For unknown devices:

Why?  Unknown devices get different web filtering settings applied than known devices.

Note! The above will not work for ipv6 if using slaac/stateless assignment. Some mechanism of setting vlan will need to be used to block them so the device requests never reach UTM in the first place.

I'm looking forward to reading how Alan Brand implements the mac quarantine scheme.

busthead said:

Great suggestion, thank you! I will give this a try.

Woo-hoo, it worked!