Rules firewall MAC

Question

Good afternoon community and thank you in advance. I want to apply to my network configuration several rules with mac filtering and I do not work, instead the same rule applied to an address ip works correctly. 
 The assumption is as follows: I have created two LANs (R1 and R2). Separated from each other and configured in different XG interfaces. What I want is to allow the R2 computers to have access to certain computers in the LAN R1, these computers have registered that mac in XG. 
 That is to say first I register the mac of the LAN1 equipments in Hosts and services - host mac. 
 And secondly I create a rule that ALLOWS ACCESS from R2 to R1 and in the section "Destination networks" I add the "mac host" added in the previous step. 
 That doesn't work for me, I don't know what I'm missing. On the other hand if I introduce the IP of the equipment, the rule works correctly.

Vishal_R · Accepted Answer

Hi PaLmd

I believe destination based MAC or MAC list rule will not work and the reason for the same is MAC address never crosses its broadcast domain.

So in your setup when you initiate any packet from R2 to R1 till R2 Interface on XG it will be one broadcast domain and from R1 Interface of XG to end system it would be another separate broadcast domain.

so arp -a from any machine of R2 will never give R1 network's ARP learning and vice versa and that's how the layer 2 technology work.

So better option in your scenario is to restrict the communication by defining the required MAC or MAC list in the source side rather then destination network end in rule.

lferrara · Answer

Angel, 
 on v17, there are some limitations/bugs on mac-address firewall rule. 
 On v18, mac-address based firewall rules work like a charm. 
 Regards

FormerMember · Answer

Hi Angel, 
 I would suggest you to check this post : Firewall Rule Based on MAC address 
 Thanks,