Firewall, Rules and Alias: Problem with MACs as Source to the Internet

[PhoenixRider]

I noticed something strange with my OPNsense. If I take several MAC addresses as an alias, use this alias as a source and limit the destination ports for WLAN devices accordingly, it can happen with my Android smartphone that some apps cannot load the content.

In general, I have selected all Android ports and summarized the other, important ports in an alias and stored them as destination ports.

Now comes the strange thing: if I take the WiFi network as the source, everything works fine. So it looks to me that the OPNsense or my Android smartphone (Samsung Galaxy S21 Ultra 5G with static and real MAC-address) has some problem with the MAC address.

Maybe someone can help me on this topic.

[zan]

Are you sure the phone is not using a randomized MAC?
Started in Android 9(or 10) the default is using a randomized MAC when connecting to wlan.

[CJ]

I noticed something strange with my OPNsense. If I take several MAC addresses as an alias, use this alias as a source and limit the destination ports for WLAN devices accordingly, it can happen with my Android smartphone that some apps cannot load the content.

In general, I have selected all Android ports and summarized the other, important ports in an alias and stored them as destination ports.

Now comes the strange thing: if I take the WiFi network as the source, everything works fine. So it looks to me that the OPNsense or my Android smartphone (Samsung Galaxy S21 Ultra 5G with static and real MAC-address) has some problem with the MAC address.

Maybe someone can help me on this topic.

Just so I understand, you took your Android MAC address and created an alias with it.  You have a rule stating that anything coming from this alias can only access port X.  The android device is connected to wifi network 192.168.1.0.  When you change the firewall rule from the MAC alias to the 192.168.1.0 network the rule works as expected?

How are you assigning IPs?  If DHCP, what does the MAC show in the leases page?  What ports are you referring to as Android ports, etc?

Are you sure the phone is not using a randomized MAC?
Started in Android 9(or 10) the default is using a randomized MAC when connecting to wlan.

I know Apple does this but I wasn't aware of Android implementing it.  I took a quick look and I can't find anything in the settings regarding it.

[cookiemonster]

Are you sure the phone is not using a randomized MAC?
Started in Android 9(or 10) the default is using a randomized MAC when connecting to wlan.

I know Apple does this but I wasn't aware of Android implementing it.  I took a quick look and I can't find anything in the settings regarding it.

Android being what it is, is Android version and likely manufacturer dependent.
There are currently two android phones in my house. One of them implements it. Oneplus 8T running OxygenOS 13.1 based on Android 13. The setting is inside the wifi connection details i.e. can be set per Wifi network.

[CJ]

Android being what it is, is Android version and likely manufacturer dependent.
There are currently two android phones in my house. One of them implements it. Oneplus 8T running OxygenOS 13.1 based on Android 13. The setting is inside the wifi connection details i.e. can be set per Wifi network.

That is very true.  What is the other phone that you have which doesn't support it?

[cookiemonster]

I've got to see. It's my wife's phone. She gets the old hand me downs from me, when work used to replace them every couple of years.

[PhoenixRider]

Are you sure the phone is not using a randomized MAC?
Started in Android 9(or 10) the default is using a randomized MAC when connecting to wlan.

Yes, i am sure. I use the hardware based MAC address.

Just so I understand, you took your Android MAC address and created an alias with it.  You have a rule stating that anything coming from this alias can only access port X.  The android device is connected to wifi network 192.168.1.0.  When you change the firewall rule from the MAC alias to the 192.168.1.0 network the rule works as expected?

How are you assigning IPs?  If DHCP, what does the MAC show in the leases page?  What ports are you referring to as Android ports, etc?

I took several WiFi MAC-Adresses in an alias. I use the onboard DHCP from OPNsense and the Assingments are correct. The destination ports can be seen in the screenshot:

[CJ]

I took several WiFi MAC-Adresses in an alias. I use the onboard DHCP from OPNsense and the Assingments are correct.

You didn't answer all of my questions.  What MAC address does the DHCP leases page show?

Can you post the two firewall rule configurations that you're testing?

Since you're using the OPNSense DHCP server, is there a reason you don't assign static IPs and then use those or the host names in the alias?

The destination ports can be seen in the screenshot:

These are the ports you're allowing or the ports that you're blocking?

Can you elaborate on your reasoning for doing so?

What apps stop working?

Do you have logging turned on for your firewall rule?  What does it show?

[PhoenixRider]

The real hardware MAC address was displayed in each case. At first I tried it without static IP addresses, and that didn't work, or only for a short time. I also tried the IP addresses as aliases, the behavior was then identical. Only WiFi Network as source worked fine.

Here are the two firewall rules:



with MAC addresses




with IPs

Now I have assigned static IP addresses including ARP within the OPNsense (DHCP service). So far it works now if I store the MAC addresses alias as source. The ports alias are allowed Ports. The goal is this: I want to restrict Internet traffic to the ports that are really needed.

Edit: After a reboot of the smartphone, many apps doesn't work. I think it's due to IPv6. Numerous blockages on port 53, 443 and port 80 are displayed in the log files. But only with the IPv6 address.

[CJ]

You're running dual stack or some sort of tunnel?  I'm not super familiar with IPv6 as I just started working with it.

Does everything work as expected if turn off all of the IPv6?

[PhoenixRider]

Yes, i have Dual Stack (Telecom Germany). Without IPv6 it runs fine.

[CJ]

I'm not familiar enough with IPv6 to have any idea why MACs don't work vs with IPv4.

The only ideas I have are to separate the rules into an IPv4 set and an IPv6 set.  Try with the same MAC alias and then try with a separated set of IP aliases.

If none of that works then I guess you're stuck with using the interface network.