Blocking MAC addresses


Firebox: M270
Fireware: 12.4.1.B595401

I hope this is a quick answer.

Is there a way to block a specific MAC address from getting out from a trusted network to an External network? Effectively blocking their Internet access?

Chris Snape


  • Options

    The "best" way is to set up a DHCP reservation for this MAC addr and then block the IP addr you set up on the DHCP reservation, such as by adding an Any packet filter From: that IP addr To: Any, and set the policy to Denied. Move this policy to the top of your policy list.

    Note that it is fairly easy to change a MAC addr, so this is not fool proof.

  • Options

    Is this for a computer or a cell phone? Many cell phones today are set to randomize their MAC addresses, so blocking that way won't work for long.

    Keep in mind that if you block ALL Internet access, you'll be blocking its updates, too, creating a potential internal security risk if it's a computer and someone connects an infected flash drive to it.

    Gregg Hill

  • Options

    Thanks for the replies. The reason for the question was to block certain departments mobile phones from connecting. When I had DHCP managed by Windows server I could add a bunch into Deny, which stopped them getting IP addresses as well.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @ChrisSnape

    The issue with denying via the windows server is all the deny will do is not issue a DHCP address. If the customer can connect to the wifi they can still see what addresses are valid, and maually find an unused one and enter it. That'll block 99% of users, but for the 1%, it's just a mild annoyance.

    If these are phones, and you want to ban by MAC, I'd suggest looking at whatever APs you have and see if there's a way to just outright deny access to the AP using that MAC, so they can't even connect. It's easy to change your MAC on most modern devices, but in this case they'll get an error saying they can't connect and get bounced off the AP.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.