In Firewall Traffic Rules you can use a single ip-set per rule. It would significantly reduce repetitions for me if multiple ip-sets were supported. In order to have effective control over my kids internet usage, quite complex rules are necessary. Since multiple ip-sets aren’t supported, I need to define most mac-addresses in multiple traffic rules.
Just create a set of type set which holds multiple sets.
1 Like
You can achieve the same with an adblocker, much simpler.
1 Like
Nope. I.e. which adblocker does user-(MAC-)dependent blocking of specific domains ? Or which adblocker switches on/off based on a time schdule ?
1 Like
Pardon me but if you filter on client mac addresses then you are doing it wrong.
Setup a vlan for the kids and another for iot, etc and set layer3 and layer4 rules.
2 Likes
Kids can still set up a VLAN interface (ethernet) on their computers. Maybe unlikely, but still. And as reinerotto said, dns adblockers don’t do the job. My request remains for better ip-sets ( or mac-sets). There are other use-cases too.
I don’t expect anyone to put in the effort just based on one comment on the internet, but I suppose it’s better to request it since here is a thread for the purpose, and it bugs me 
OK, and those VLANs would connect to the one you configured upstream on the router you provide that includes the kid-blocking configurations. I don't understand this concern.
1 Like
What?
You configure a switch port as untagged. That's it. Then there is only that one network available. Period.
And no. Please just forget about crude hacks using Mac based filter.
A firewall is a firewall and does its job on layer 3 and 4.
Yes some enterprise gear enables you to filter certain layer 2 traffic but that's another can of worms.
If you need access control then again this should happen on layer 3.
Content filtering on layer 2 is a fundamentally flawed idea as pointed out by @_bernd.
Probably none has this feature integrated but one could easily set up a cron schedule, or make a feature request so this gets implemented. And if you have a separate VLAN for kids (which is the correct method to implement content filtering for a network segment) then probably you don't need any schedule to begin with.
How so? The arguments they presented are not valid.
Besides, if you want to block access to certain domains then what makes more sense: directly blocking DNS resolution for those domains or painstakingly resolving their addresses one-by-one to construct an IP list (which is incredibly slow)? Yes, you can get pre-resolved IP lists but those may be incomplete or outdated.
Features get implemented when a reasonable and sufficiently popular use case is demonstrated. With all due respect, your particular use case doesn't appear reasonable.
Thanks for the interaction guys, but I don’t want to hijack this good thread. Maybe I’ll continue elsewhere. The conclusion seems to be that only 25% of the participants want the ability to include several ip-sets in a firewall traffic rule 
. It won’t harm you, will it?
By the way, I just realized that I might have understood ip-sets wrongly. I have used them to define a set of computers on my LAN, like servers or iot-devices.
Your assumption is wrong. There are smarter ways to implement it.
… And if you have a separate VLAN for kids (which is the correct method to implement content filtering for a network segment) … Which is not everybodies opinion.
I don't know how to make you believe me.... But I'm getting paid for these kind of implementions and if you wanna filter traffic then you do it on layer 3 and 4 for these usecases.
Layer 2 traffic is layer 2 traffic and has nothing to do with layer 3 which is used if you travel from one network to another.
That simply is your opinion. Probably based on the assumption, this to be done on layer 2. Which is a possibility, but not the only one.
I did not say, to do it on level 2. You simply assumed it. And you are not the only one being payed for such type of work. Usually in larger environments, though.
I'm really curious why on earth should still do any kind of "bridge filter" in 2025. And yes I do not talk about enterprise switches which can filter some layer2 and related layer3 packete for obvious security reasons....
I do data center networking and also from time to time assist on branch office networks and really nowhere ever, I have seen filter rules based on MAC addresses.
It's like hammering in a screw just because it somehow works but every woodworking dude would say hey stop there Boy, right now....
To paraphrase David Reed, if you really need to control user identity you need to use an authenticated protocol... neither MAC nor IP will give you that as both are typically easy to change/spoof.
That's also true. For that we have i.e. ipsec.
Do you have any recent blue prints, architecture guides, vendor docs, etc on hand which recommended or even show how to do Mac based filters for access control. Beside 802.1x and friends....
You mentioned, you do commercial work. Then you know about NDAs. Anyway, one of the first methods in this area I implemented almost 10 yrs ago was based on squid. Using MAC for identification of client, and filtering “individually”. Was rather slow, I have to admit. But not on layer 2, at least Nowadays, much better method available.
Say I do it right. I set up a VLAN for adults, for servers, for iot, etc. Untagged is for kids, and I disable forwarding for it at night. I have an unmanaged switch, through which everything goes to the router. Since it isn’t port based vlan, the kids can simply get on the adult vlan (when they figure it out). What other solution is there for this than to get a managed switch (which are noisy)?