How do I label devices on my network?
So, i'm using my watchguard T20 a little different than most. I'm using it as my home router/firewall. I've searched for years for parental controls that actually work and gave up and now making this work.
So, I'm trying to figure out how to label devices on my network in the firebox. I just went into network discovery. I can click on a device and tell it to remember it and give it a name that makes sense to me. But, I'm noticing a ton of duplicates in it. Seems everytime they change their IP address, a new entry is made in network discovery. So, I'll spend hours getting it updated and tomorrow, IPs will have changed and most of what I did was lost.
I want to create firewall policies that are specific to certain devices on my network and if they're always changing, makes it kind of difficult.
Is there a way to do this?
Comments
Hi davidortenn79
You can use the assigned DHCP lease to fix the IP address of devices in your network. You just need to capture the MAC address of the device and set a static address for it.
If you need further help let me know
Mike v
And, you can create an Alias name for the IP addr that you assign in the DHCP reservation, and use the Alias name in a policy To/From field.
See the "Configure DHCP Reservations" section, here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/configure_dhcp_server_c.html
Create an Alias
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/alias_create_c.html
Adding on to this:
If you set DHCP reservations, make sure your wireless devices have MAC address randomization turned off. Many modern phones/tablets (and even laptops) will do this by default on wireless networks.
See:
https://support.apple.com/guide/security/wi-fi-privacy-secb9cb3140c/web
https://source.android.com/docs/core/connect/wifi-mac-randomization-behavior
https://support.microsoft.com/en-us/windows/how-to-use-random-hardware-addresses-in-windows-ac58de34-35fc-31ff-c650-823fc48eb1bc (You would want to ensure the inverse, that this feature is turned off)
If you're using this for your children, another option is to have each on their own network/VLAN and have a separate SSID for each. Applying whatever rule is needed to that entire network sidesteps the issue of their MAC address changing. It does, however, break things that require broadcasts to work (such as Apple Bonjour, or Google cast to TV for example, if the device you're trying to talk to is on another subnet.)
-James Carson
WatchGuard Customer Support
Isnt there a better way than DHCP reservations? A home grade router you can just label the device so you can see what it is. I'd rather not have to plan out each device's IP addresses.
also, if a mac address changes because it's not using the hardware mac address, won't that mess up this whole thing?
@davidortenn79 The firebox isn't designed to be a consumer router, so it doesn't do exactly what you're looking for. User tracking is usually centered around the actual user (via Active Directory, LDAP, or RADIUS.)
-The Dimension log/report server can work off of an IP/Name table, but is designed to work most efficiently via reverse DNS to an on-premise DNS server.
-There isn't a facility on the firebox itself to name clients. There are feature enhancements in place to allow the firebox to use DHCP names to identify clients -- but that again is based around DHCP.
-James Carson
WatchGuard Customer Support