Perhaps someone else can test this process and see if you likewise get broken results.
Brief Background:
- 12 year UTM reseller, giving a a second go at setting up an XG System for evaluation to see if 16.x is getting more viable.
- Test system is in my test lab (aka the home network that controls our 5 children and their 40 odd devices with an XG125).
I decided the best way to setup this test was to do the following. (Yes it's overly complex but it's a test/learn experience)
- Supernet the LAN into 192.168.0.0/16 with each kid gets a 3rd octet to themselves. 192.168.10.0/24, 192.168.20.0/24 etc
- Each Kids devices are given a static ip with a dhcp reservation; a host ip object is created to match; and those are dropped into separate group per Kid.
- LAN policy unique per kid (the age range is vast); policy only traps traffic for the kid in questions ip host group, can also be by /24 subnet Still experimenting.
- Client-less users are created for each of the kids devices with matching ip and place into sperate groups clientless groups Kid1, Kid2...Kid5
- Policy is setup as Match known users by the Kid1 group that match the LAN for that Kid
So here os the weird part if I enter the kids devices 1 at a time into client-less networking if work perfectly. If I bulk at the client-less users they don't work. I've test this a ton of times now. Single added clientless users work perfectly; but bulk added ones don't match correctly. I've tried with individual users and with users in groups. Delete a user that not working and add them back exactly as they are and they instantly work.
The above works good to thwart overly smart kids; as all other IP address in the network go to a dhcp domain that has almost no surf privileges. Only a device on that has both a host enter, and matching user with the same ip can get access. Very hard for the kid to try and move the device manually to a more permissive ip address.
This thread was automatically locked due to age.