Messages

I can confirm that adding a pass rule under Wireguard (Group) where the source is my wireguard interface allows connections to pass.
So it seems w/ the latest and perhaps the previous update Wireguard (Group) rules take precedence over interface specific rules. I suspect this because my wireguard interface has a pass rule but after update no wireguard traffic passes until a pass rule is added to  Wireguard (Group)

Same exact issue with 25.1.5 update. Wireguard stops working. Rolled back to 25.1.3 and wireguard works again.

The machine is on a separate VLAN the determined attacker is smart 12 year old. Currently he does have admin privileges on the PC, mostly for convince for me (having to constantly enter admin password for installs, etc)

It seems the choices are 1) Remove admin privileges from the PC, 2) Think of other ways to block internet that does not rely on MAC->IP->Rules, as Mac based filtering cannot be trusted as my post indicates.

Anyone overcome this issue, particularly when dealing with kids access?

I have a PC that I assigned a Static lease via it's mac address. This works great, PC is allocated the correct IP address (192.168.66.150) based on my settings.
However, I just found out that anyone that has access to this Windows 11 PC can assigned the PC a different static IP address (say 192.168.66.200) and bypass whatever firewall rules I have in place based on the IP I assigned via the static lease.

Is there a way to tell OPNsense that a MAC address can only be assigned the static lease ip address and ignore any other address request?