A customer has reported that a PC is able to access the internet, even when the MAC Address of the PC was added to MAC Filter prohibited (prevent) list.
E.g., See the below screenshot where a sample MAC Address has been added to the Prevent listed computers from accessing the network list.
This article provides information on how the internal mechanism works in Kerio Control MAC Filtering.
- Kerio Control has one interface for the internet (Ethernet for example).
- You are trying to block PCs from accessing the internet by blocking the MAC address from PC to the Internet (Ethernet) interface.
- Kerio Control is able to see the PC in the Active Hosts tab.
- MAC filter works only when a packet comes to an interface. Thus, from a client packet, there are two MAC filter checks:
Client packet arrives at the LAN interface:
We know the client MAC address which is in packet Ethernet header as the SRC (Source) MAC and if you enable MAC filter on the LAN interface, then you can block it.
Client packet redirected to the WAN interface from LAN:
The packets SRC MAC is now the WAN MAC Address (DST (Destination) is the gateway). Therefore, the client MAC is removed here and if you enable MAC filter on WAN, you cannot see the client’s MAC address.
- You can formulate the MAC filter by comparing the MAC address given on the UI with the SRC MAC address of the packet arrived at an interface that is selected on the UI also.