Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Zenarmor 1.10 MAC address for policy apply
« previous
next »
Print
Pages: [
1
]
Author
Topic: Zenarmor 1.10 MAC address for policy apply (Read 4329 times)
opnip
Newbie
Posts: 15
Karma: 2
Zenarmor 1.10 MAC address for policy apply
«
on:
October 15, 2021, 04:49:22 pm »
Hi @mb,
thx for the possibility to match a policy by a client MAC address now.
But in my case it is not working. Defined a new policy with MAC addresses. But always the default policy would be assigned to the devices where the custom policy with the configured MAC address should match.
Update: It works now. I also had enabled the WireGuard interface before and one IP address configured. I removed that IP address and the WireGuard interface. Now with only LAN and configured MAC addresses it works.
«
Last Edit: October 15, 2021, 04:52:32 pm by opnip
»
Logged
athurdent
Sr. Member
Posts: 251
Karma: 23
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #1 on:
October 15, 2021, 04:52:49 pm »
Ah, I‘m not alone then. Already filed a ticket a few hours ago. Same problem here.
Logged
athurdent
Sr. Member
Posts: 251
Karma: 23
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #2 on:
October 15, 2021, 04:54:52 pm »
Thanks for the update, I also have 2 interfaces. I‘ll try removing one later, it’s a normal one though, no special kind.
Logged
opnip
Newbie
Posts: 15
Karma: 2
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #3 on:
October 15, 2021, 05:03:09 pm »
Its not the second interface (checked again). If I enable the WireGuard interface again, policy still matches.
It was the additional configured IP address for matching. Policy is matching only if I configure MAC addresses only.
Logged
athurdent
Sr. Member
Posts: 251
Karma: 23
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #4 on:
October 15, 2021, 05:13:46 pm »
Odd, first thing I did before putting in the MAC address was deleting the IP of the device. I have a bunch of other IPs in that policy though. Do you have any additional IPs, or did you delete all IPs?
Logged
opnip
Newbie
Posts: 15
Karma: 2
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #5 on:
October 15, 2021, 05:21:49 pm »
I deleted all IP addresses for now. Reported it as a bug in 1.10.
Logged
athurdent
Sr. Member
Posts: 251
Karma: 23
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #6 on:
October 15, 2021, 05:23:02 pm »
Do you also get this one with only MAC addresses?
"Are you sure you want to proceed?
You've only selected interface but did not specify any other criteria for this policy."
Logged
mb
Hero Member
Posts: 941
Karma: 99
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #7 on:
October 16, 2021, 02:26:16 am »
Hi @opnip,
Policy criteria are evaluated with the AND logical operator. It's not either IP addresses or MAC addresses, rather, if you specify both an IP address or MAC address they should both match. [1]
@athurdent, if you only enter MAC addresses that warning should not be displayed. We'll have a look at it. But you can ignore it, for now, its' a misleading warning message.
[1]
https://www.sunnyvalley.io/docs/troubleshooting/policy-and-filtering#policy-does-not-seem-to-get-applied
Logged
athurdent
Sr. Member
Posts: 251
Karma: 23
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #8 on:
October 16, 2021, 07:14:01 am »
@mb, ah thanks I understand the AND logic now I guess.
If I enter my LAN IPv4 network AND the MAC address of a LAN host, then IPv6 packets do NOT get matched, because I failed to enter my LAN IPv6 network, too. Correct?
At leat that is how it works here, just tried. If I remove my LAN IPv4 network and leave the network/IP section blank, then it matches my test host's IPv6 traffic, because the only thing that needs to match for the rule to work is the MAC.
Its around 7:00 am here and my brain already logic-hurts a bit, hehe... :-)
Logged
opnip
Newbie
Posts: 15
Karma: 2
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #9 on:
October 17, 2021, 01:02:55 pm »
@mb
Thanks for answering the topic.
With this understanding I restructured my zenarmor policies. In the end, I was able to implement what was important to me.
Logged
mb
Hero Member
Posts: 941
Karma: 99
Re: Zenarmor 1.10 MAC address for policy apply
«
Reply #10 on:
October 18, 2021, 02:48:56 am »
@opnip, great to hear that!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Zenarmor 1.10 MAC address for policy apply