Internet is accessible even with MAC filtering firewall rules

We have enabled MAC address filtering using Network groups.
Two groups, namely ‘Departments’ and ‘Faculty’ are given internet access.
All other access is blocked using firewall rules.
Default firewall behaviour is also ‘Blocked’.

Laptops or desktops other than the groups can’t access internet.
But it seems that mobiles phones with android OS can connect and access internet.

Is there a problem with the firewall rules I have created?
Someone please advise.

Firewall Rules

Firewall rule to Block all connections

‘Department’ group is allowed interent access

‘Faculty’ group is allowed interent access

I can’t see anything obviously wrong, however these are my comments:

  1. I would do this differently (see below);
  2. you need to see the logs to find out how the mobile phones are able to access internet.

Point 1, I would remove the first rule (block everything) and use instead the specific setting for this restrictive behavior. In the webuser interface go to Firewall/Firewall Options/Default firewall behavior/Forward and set it to blocked. This will accomplish the same as rule 1, but in a better way. Do not forget to apply the rule and if necessary, reboot. Keep in mind that the most restrictive behavior would be to cut the Outgoing access as well. This will prevent the entire machine (the firewall) to access internet. This means that if you do this, you need to be directly connected to the machine or you will cut yourself out. The first rule should suffice, but if you block everything you will be more secure, but then you need to fix what does not work (everything). Here some guideline.

Point 2, get an android phone, make sure you can go to internet even if you shouldn’t, then open a console and issue the following command tail -f /var/log/messages, this will show everything the kernel does. Then with the phone in you hand, start surfing internet and see what the kernel will do with those packets. To exit, ctrl-c.

Please let us know how it goes.

4 Likes

Are your mobile phones connecting via a wireless access point connected to your green wired lan network or are they connecting via a blue network?

1 Like

Every modern mobile I know will use mobile data (wwan) if wlan has no internet access.

2 Likes

@cfusco
The default firewall behaviour was set to ‘Blocked’. Then I noticed people accessing internet and then I decided to add the block rule to firewall. I have checked with android phones, not every andoid phones work, but some.

@bonnietwin
Mobile phones are connected via Ubiquity Wireless access points connected to Green network.

@xperimental
I have tried it with disabling mobile data.

Just as a reminder:

Starting in Android 8.0, Android devices use randomized MAC addresses when probing for new networks while not currently associated with a network. In Android 9, you can enable a developer option (it’s disabled by default) to cause the device to use a randomized MAC address when connecting to a Wi-Fi network.

In Android 10, MAC randomization is enabled by default for client mode, SoftAp, and Wi-Fi Direct.

MAC randomization prevents listeners from using MAC addresses to build a history of device activity, thus increasing user privacy.

https://source.android.com/docs/core/connect/wifi-mac-randomization

2 Likes

This means that we can’t implement a MAC filter, if andoid systems are using the network.
If we whitelist a MAC ID and it happens to be in the randomization list, the whole thing fails.