DHCP Multiple MAC to one IP

Hi,

there is another way to limit you r children's internet access. Assign fixed IP in the DHCP server to a MAC address. Then create a clienteles user based on the IP address and then create a clientless usergroup.

In the firewall rules that you allow your children to use change the access to match known users. Doing this will stop them changing IP addresses by changing MAC addresses. You will need to do this for all your rules including your own devices.

If you have a range of IoT devices you can do the same thing and create a clienteles user group for them.

Ian

Hi Ian, thanks for responding.

I've been looking at clientless but I'm not sure I understand how it will help.

Let's say I add a DHCP reservation on 10.0.0.50 mapped to their physical MAC, and create a clientless user on that IP.  If they enable Private MAC then they'll get a different IP address which isn't mapped on the clientless user and they fly under the radar; No?

It seems to me that I would need to reserve an IP on each MAC address, then create 2 clientless users, one for each reservation, and then add them to a user group for use in policies.  That being the case, I'm not sure what it offers over just creating a Host Group containing the two reservations, and using that in policies?  Surely either way, if the IP address changes then they fall out of scope of the policy anyway?

I'm sure I'm missing something here ;)

Hi DCALS,

if they are assigned a different IP address then they will not get past the firewall rule because that address is not part of the clientless group of users in the firewall rule.

If you want to stop them fiddling and trying to work around your firewall rules by changing their MAC address they will fail. The clientless group function works very well. I have a number of IoT devices all with fixed address assignments and clienteles users to restrict access to specific URLs to reduce the chances of attacks.

I have both IP4 and IPv6 addressing schemes active with 44 clienteles users in total. When bringing a new device on tot he network clienteles user groups can be a bit challenging. Unit you assign the device an address and create a clienteles user in the correct group. At times i have to use unrestricted rules with clientless user to identify connection issues.

Please feel free top ask more questions.

Ian

Ah, so you mean process every connection through an explicit rule for each client (or group etc), rather than an allow-all at the bottom with the exceptions (e.g. the kids devices) higher up the processing order.  So no-rule-no-banana?  Otherwise, with a different IP they would pass the block rule and hit the default rule (which is allow-outbound)

I'm probably a bit old-school for Sophos Firewall ;) as I would usually start with an allow-all-outbound for say HTTP(S) and then block/modify by exception.  I think what you're suggesting is block all outbound and allow by exception.

Am I understanding you correctly?

Thanks

D

How will this solve the issue of private MAC address technology?

Apple has activated this by default starting with iOS 14. A mobile device will change MAC address every time it connects to a wireless network to prevent tracking etc. You will need to fix the MAC address for these devices.

That's not exactly correct.  The MAC address assigned to an SSID remains the same unless you 'forget' the network and reconnect to it as if it were new (or wipe your device).  So while it's not infallible, it's still fairly reliable to map to the virtual MAC.

You are right. Nevertheless i have my kids set the MAC address on the internal wi-fi  network to use the device MAC address, there seems to be no need to use private MAC address technology on the home network...

Assiged an IP address to the MAC address and further used the same prcedure as Ian described above.

You have a point in that you can run your network based on IP addresses everywhere. It's much more meaningful to use names and clientless users allow this. And it also allows a single checkbox in a rule to close that rule to anyone not "authenticated" by MAC address (hence getting a particular IP hence being a particular clientless user).

In addition, it's easier to display current activity based on (clientless) user name rather than IP addresses.

So I have static IP addresses for all of my devices. Then clientless users for each. But I do also allow dynamic IPs to be handed out as well. It makes it easier to just connect a new device and have it appear in DHCP where I can copy/paste its MAC address, etc if I want to include it in my infrastructure. But just a checkbox in my WAN-bound rules means these dynamic devices can't get anywhere.

It's a little inconvenient having to do everything twice (DHCP static, clientless user) but for a home network it's not bad and it makes everything easier and cleaner in the admin tools.

In my case, the AppleTV presents it's known MAC address (what you see on the AppleTV if you display its MAC), but as my HomeKit hub it also presents two random MAC addresses as well. I think that's part of HomeKit. Anyhow, I don't stop that and it gets two dynamic IPs, but those IPs won't get to the WAN because I don't (and can't because they change) have them as clientless users. Sort of like your situation.

Peter-Paul Gras I agree, but the damn thing puts up a security warning when you disable private address, and then my kids go into the settings and re-enable it 

They need to be taught that is scare campaign which they will see many of and need to learn to understand what each warning is implying.

Ian

The iPhone only gives this warning once, so you'll see it but they never should. The setting is on a per-SSID basis, so it doesn't repeat. At least it hasn't for any of our devices.

The iPhone only gives this warning once, so you'll see it but they never should. The setting is on a per-SSID basis, so it doesn't repeat. At least it hasn't for any of our devices.