Requesting Destination MAC Address for firewall rules

Looking at the documentation for firewall rules, it looks like there is a src_mac option, but no dest_mac option... Is there a particular reason for this, or was it just left out of the original implementation due to lack of necessity, or something like that? My specific use case is that it would be nice to be able to write rules dependent on a destination MAC Address, instead of a destination IP address, in case the destination IP is not known, because of, e.g. DHCP IP assignment. Apologies if this request exists, or this isn't the right format to ask this question; I did a search and came up empty...

Generally speaking the reason is that MAC is only valid on L2, whereas the firewall operates on L3.

You might ask -- if this is an issue of L2/L3, why can the source MAC be used? That is possible because the MAC is still present in the packets as they arrive at the L2/L3 boundary (i.e. the routing engine) as it enters into the firewall.

However, for egress from the firewall, there is no concept of the MAC address at L3, and the firewall must make a determination purely based on IP addresses (L3) without knowledge of which host actually has a given MAC address. This isn't resolved until later -- in the case of 2 or more directly connected networks, the packet leaves the firewall bound for the destination L3 interface, and only there can the MAC be discovered. (if the destination network is not directly connected -- for example, anytime the traffic must traverse 2 or more routers such as on the internet), MAC cannot be determined at all at the firewall.

This is where a DHCP reservation comes in. You can setup a reservation so that there is a deterministic IP assignment for a given device based on its MAC address.

4 Likes

Well that makes sense. Do I close this, or just leave it here for future askers? Should I mark it as solved?

This is the best method... this helps surface the answer immediately.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.