Restrict by MAC Address - Bridge

I can see how to restrict ethernet connections by MAC Address but when the Interfaces are 'bridged', the option to restrict does not exist. The Bridge settings don't provide the option to restrict either.

Does anyone know how to restrict ethernet connections on a Bridge configuration? Is it possible?

(T35-W, 12.5.4)


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @David_UK

    MAC addresses are very changeable/spoofable. Anyone with sufficient knowledge and access to use google could easily bypass this.

    The firewall is a layer 3 device -- meaning that it works mostly by IP address, not MAC. The only place MACs can be blocked is in Access Point settings, as it's also working at that level there.

    Keeping the above in mind, if you need to deny a specific MAC address, I'd suggest making a DHCP reservation for that host, and making a deny policy for that IP address to drop the traffic.

    -James Carson
    WatchGuard Customer Support

  • James - MAC addrs can also be blocked on Interfaces - except for Bridge interfaces

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Bruce,

    You are correct, there is a setting (MAC Address Control) in physical interface settings -- but this is only for networks on the bare interface -- for David's situation, this won't be available. Making the reservation and denying that IP is the next best solution.

    My point about them being easily spoof-able stands, however. For both my desktop PC, personal laptop, and work laptop, the MAC can be changed for both wireless and wired NIC in the windows driver settings.

    -James Carson
    WatchGuard Customer Support

  • Thanks James.
    Door locks are pickable (a Google search will also tell you how to do this) but I still have a lock on my house and lock the door when I leave. :)o:)

    My intention was to add another level of protection - something a bit more 'physical' - to protect the network; not necessarily to prevent a determined hacker, but from an errent user simply wishing to attach an unapproved device. For example, I have a DMZ on one of the T-35's ethernet ports and I've locked that down to a specific MAC address so only a specific device can use it.

    I thought that there may have been something simillar for the Bridge which I was just not seeing - but both you and Bruce have confirmed that such a setting doesn't exist; thank you both for the confirmation!

    So, a follow-up question...
    I take your point that MACs are spoofable, does this meant that you would not bother with MAC Filtering on the Wireless network? Is there a benefit for NOT doing it (for example, reduced overhead)?

    Thanks again to you both for the quick replies.


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi David,

    I absolutely wouldn't bother with MAC filtering on a wireless network. It causes too many headaches and (in my opinion) isn't worth the additional time required to set it up/maintain it. I'd much prefer to use WPA2/enterprise, where each user must authenticate, and I can revoke that authentication if need be.

    Lockpicks are absolutely a thing, but that doesn't mean putting the most inexpensive lock that I can find on the door is any level of security.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    (With the above in mind,) using an authorized WLAN policy, and WIPS, it's also possible to keep track of clients that should only be connecting to specific SSIDs and preventing them from connecting to others while in range.

    For example, if only approved laptops are allowed on corprate WiFi, we can use WIPS to prevent a phone that isn't registered from connecting to corprate wifi, or quarantine a corporate laptop that connected to the guest wifi until it can be scanned.

    We can also watch for other APs broadcasting our SSID in an attempt to get our network assets to connect to them, and prevent them from doing so.

    -James Carson
    WatchGuard Customer Support

  • VLAN interfaces also do not have the MAC Address Control option.
    Since many sites do use VLANs for their AP, this setup would also prevent the use of MAC address controls for AP connected clients.

    With respect to MAC Address Control for wireless clients, if your AP settings allow "Enable client isolation" and you only allow selected MAC addrs onto your network, then it would be difficult for a user to identify a "good" MAC addr to spoof, and even if they could, having 2 devices with the same MAC addr will quickly become apparent as both devices would have issues.

  • James, Bruce, thanks again. Useful and informative - something for me to think about. :)

Sign In to comment.