Firewall Rule Based on MAC address

Question

Hi Sophos Community, Engineer and Architect 
 Good Day, 
 It seems that it is an easy Firewall rules based on MAC address.. but then something weird happened. 
 In our main office, I configured Firewall rules based on mac address and it 100% works- ----the blocking of specific websites etc. 
 BUT then in our branch office, I tried to configured firewall rule based on mac address and it does not work.. 
 How come that this firewall rules does not work based on mac address??? 
 It is XG 210 with firmware SFOS 16.05.2 MR 2 
 Thank you.

ThibautVan der Kluft · Accepted Answer

Hi Kunkka, 
 Keep in mind that MAC addresses are used only on layer 2 communication and doesn't "survive" a router. On your branch office, is there any router between your LAN and your XG Firewall?

ThibautVan der Kluft · Answer

Hi Kunkka, 
 A core switch which is doing inter-VLAN routing will prevent the XG firewall from getting the MAC addresses of the PCs. 
 The only solution is to use the XG firewall to do the inter-VLAN routing. That means that you need to trunk all your VLANs to your XG Firewall and then configure each VLAN on it.

ThibautVan der Kluft · Answer

Hi Kunkka, 
 Yes, that is how you configure a VLAN. You need to do that for each VLAN of your network and then, configure a trunk on your switch to send the tagged VLAN to the XG firewall. 
 Your XG Firewall will be the default gateway of your PCs instead of the core switch. 
 Best regards, 
 Thibaut

lferrara · Answer

kunkka , 
 of course you can. Add multiple VLAN on the same port and make sure that the switch port where the XG port is connected, transport all the VLAN you wish. 
 Regards

peter zaher · Answer

Hi Kunkka, 
 add Mac address as host Mac and then use it in firewall rules 
 
 Regards,