Zenarmor 1.10 MAC address for policy apply

Started by opnip, October 15, 2021, 04:49:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 15, 2021, 04:49:22 PM Last Edit: October 15, 2021, 04:52:32 PM by opnip
Hi @mb,

thx for the possibility to match a policy by a client MAC address now.
But in my case it is not working. Defined a new policy with MAC addresses. But always the default policy would be assigned to the devices where the custom policy with the configured MAC address should match.

Update: It works now. I also had enabled the WireGuard interface before and one IP address configured. I removed  that IP address and the WireGuard interface. Now with only LAN and configured MAC addresses it works.
October 15, 2021, 04:52:49 PM #1
Ah, I'm not alone then. Already filed a ticket a few hours ago. Same problem here.
October 15, 2021, 04:54:52 PM #2
Thanks for the update, I also have 2 interfaces. I'll try removing one later, it's a normal one though, no special kind.
October 15, 2021, 05:03:09 PM #3
Its not the second interface (checked again). If I enable the WireGuard interface again, policy still matches.

It was the additional configured IP address for matching. Policy is matching only if I configure MAC addresses only.
October 15, 2021, 05:13:46 PM #4
Odd, first thing I did before putting in the MAC address was deleting the IP of the device. I have a bunch of other IPs in that policy though. Do you have any additional IPs, or did you delete all IPs?
October 15, 2021, 05:21:49 PM #5
I deleted all IP addresses for now. Reported it as a bug in 1.10.
October 15, 2021, 05:23:02 PM #6
Do you also get this one with only MAC addresses?

"Are you sure you want to proceed?
You've only selected interface but did not specify any other criteria for this policy."
October 16, 2021, 02:26:16 AM #7
Hi @opnip,

Policy criteria are evaluated with the AND logical operator. It's not either IP addresses or MAC addresses, rather, if you specify both an IP address or MAC address they should both match. [1]

@athurdent, if you only enter MAC addresses that warning should not be displayed. We'll have a look at it. But you can ignore it, for now, its' a misleading warning message.


[1] https://www.sunnyvalley.io/docs/troubleshooting/policy-and-filtering#policy-does-not-seem-to-get-applied
October 16, 2021, 07:14:01 AM #8
@mb, ah thanks I understand the AND logic now I guess.

If I enter my LAN IPv4 network AND the MAC address of a LAN host, then IPv6 packets do NOT get matched, because I failed to enter my LAN IPv6 network, too. Correct?
At leat that is how it works here, just tried. If I remove my LAN IPv4 network and leave the network/IP section blank, then it matches my test host's IPv6 traffic, because the only thing that needs to match for the rule to work is the MAC.

Its around 7:00 am here and my brain already logic-hurts a bit, hehe... :-)
October 17, 2021, 01:02:55 PM #9
@mb
Thanks for answering the topic.

With this understanding I restructured my zenarmor policies. In the end, I was able to implement what was important to me.
October 18, 2021, 02:48:56 AM #10
@opnip, great to hear that!
Print
Go Up Pages1
User actions