MAC Address Filtering & Geo-fencing

Objective

Validate that the zWAN Gateway Router:

1. enforces MAC-based access control (allow/deny) for LAN devices, and
2. generates alerts and (when configured as mandatory) fences traffic based on MAC or GPS geo-fence rules—using Director UI paths you’ve provided and log locations you’ve shown.

Prerequisites

• Admin access to zWAN Director.
• z40 online and managed by Director.
• Two Windows test clients on the z40 LAN (wired on LAN00 or Wi-Fi on LAN05). (Linux client optional for cross-checks.)
• You know each client’s MAC address.
• Testing is being done in your authorized POC/lab environment.

How to find MACs (quick)

• Windows:
  getmac /v /fo list or ipconfig /all (note the “Physical Address” of the active adapter)
• Linux:
  ip link show (note the link/ether xx:xx:xx:xx:xx:xx for the active interface)

Test A – MAC Filtering (Allow/Whitelist mode)

Goal

Only the Allowed client can pass traffic through the z40; a Blocked client (not on the allow list) cannot.

Steps

1. Baseline connectivity (both clients should work)
   • From Client A and Client B, confirm they can reach something beyond the z40 (e.g., ping 8.8.8.8 and open an Internet site).
2. Open MAC Filtering
   • Director → Edge Controllers > [Device] > Security > Filtering > MAC FILTERING.
   • Ensure the Enabled toggle (top-right of the tab) is ON.
3. Select mode
   • At the top left of the MAC Filtering page, set radio to ALLOW (whitelist).
4. Add the Allowed MAC
   • Click ADD MAC ADDRESSES (or use DISCOVER if entries appear and you prefer picking from discovered).
   • Enter Client A’s MAC (format aa:bb:cc:dd:ee:ff).
   • Save. Confirm Client A shows in Allowed Mac Addresses.
5. Apply
   • Confirm the Enabled toggle is ON (it takes effect immediately on this tab).
6. Validate
   • Client A: Should retain full connectivity (DNS resolve, browse, ping).
   • Client B: Should now fail to browse/resolve beyond the z40 (the connection will be refused/blocked at the gateway).
7. Logs
   • Director → Edge Controllers > [Device] > System > Logs > SYSLOG > All Logs.
   • Filter by node.ipaddr for the device, and (optionally) by Client B’s IP/MAC.
   • Confirm entries showing MAC-filter decisions (blocked traffic from Client B).
8. Persistence check (optional)
   • Bounce Client B’s interface, clear ARP (arp -d * on Windows in elevated cmd), or reconnect Wi-Fi; verify it stays blocked.
   • Reboot z40 (if permitted) and confirm behavior persists.

Test B – MAC Filtering (Deny/Blacklist mode)

Goal

Block a specific MAC in DENY mode, while all others pass.

Steps

1. Switch to DENY mode
   • Same page: Security > Filtering > MAC FILTERING → choose DENY (radio).
2. Add the denied MAC
   • ADD MAC ADDRESSES → enter Client B’s MAC → Save.
   • Make sure Enabled toggle is ON.
3. Validate
   • Client B loses connectivity to WAN (and inter-VLAN, if policy applies).
   • Client A still passes traffic normally.
4. Logs
   • Same logs path as Test A; confirm blocks corresponding to Client B.

Cleanup: When done with MAC Filtering tests, switch back to your intended mode and remove test entries so you don’t surprise the customer later.

Test C – Geo-fencing (MAC-based)

Goal

Use Geo-fence’s Trusted MAC Address List to mark trusted devices and (optionally) fence untrusted devices when “Mandatory” is enabled.

Steps

1. Open Geo-fence
   • Director → Edge Controllers > [Device] > Security > GEO-FENCE.
   • Toggle Enable/Disable to ON (top right) → SAVE CHANGES.
2. Add a trusted MAC
   • Click ADD TRUSTED MAC ADDRESS.
   • In the dialog:
     • Discovered MAC Address: use DISCOVER if available, otherwise leave blank.
     • MAC Address: enter Client A’s MAC.
     • Subnet or Prefix: enter the expected LAN (CIDR), e.g., 192.168.1.0/24.
     • Description: “Trusted Client A”.
     • Mandatory:
       • OFF → log only when an untrusted device is seen.
       • ON → fence (enforce) per the platform capabilities.
     • Click ADD → SAVE CHANGES.
3. Validation
   • With Mandatory OFF: connect Client B (untrusted) and generate traffic.
     • Check logs (below) for Geo-fence events flagging untrusted MAC.
   • With Mandatory ON: repeat; Client B should be fenced (blocked), while Client A continues to work.
4. Logs
   • Director → Edge Controllers > [Device] > System > Logs > SYSLOG > GEO-FENCE.
   • Confirm entries show trusted vs. untrusted MAC activity and any fencing action.

Notes

• The Geo-fence page shows Trusted MAC Address List with columns for MAC Address, Subnet or Prefix, Description, Mandatory.
• Enforcement behavior depends on the Mandatory setting. Use carefully in POC.

Test D – Geo-fencing (GPS-based)

Goal

Define a GPS boundary and verify the device logs (and optionally fences, if configured) when it is considered outside the boundary.

This is primarily an alerting/assurance control in POC (per your screenshots); use it to demonstrate logging at minimum.

Steps

1. Open GPS settings
   • Director → Edge Controllers > [Device] > Security > GEO-FENCE.
   • Click SET GPS LOCATION.
2. Configure boundary
   • In Set GPS Location:
     • Latitude / Longitude: enter your intended center coordinates.
       • (Tip: if you want to force an out-of-bounds alert immediately, set the center to a faraway location from where the device is actually deployed.)
     • Radius: set a small value (e.g., 0.1) and Unit: Kilometer.
     • Lock: leave unchecked unless you’re pinning to the device’s current location.
     • SAVE → SAVE CHANGES on the main page.
3. Validation
   • Generate routine traffic from a client (just to timestamp activity).
   • Director → System > Logs > SYSLOG > GEO-FENCE.
   • Confirm a log entry indicating device outside the configured boundary (and any “fencing” state if used in your policy).

Reset when done: Set your production/POC coordinates and radius, or remove the GPS entry before handing off to the customer.

Validation Criteria (all tests)

• MAC Filtering (Allow): Only MACs in Allowed Mac Addresses pass; others are blocked.
• MAC Filtering (Deny): MACs listed in DENY are blocked; others pass.
• Geo-fence (MAC-based): Trusted entries behave per Mandatory setting; untrusted devices generate logs and (if Mandatory ON) are fenced.
• Geo-fence (GPS-based): Logs in SYSLOG > GEO-FENCE reflect inside/outside boundary state.
• Logs: Relevant entries appear at:
  • MAC filtering: System > Logs > SYSLOG > All Logs
  • Geo-fence: System > Logs > SYSLOG > GEO-FENCE

Troubleshooting / Tips

• If a client keeps passing when you expect block, ensure:
  • MAC filtering Enabled toggle is ON on the MAC FILTERING tab.
  • The client is using the adapter whose MAC you added (Wi-Fi vs. Ethernet).
  • Clear ARP caches or renew IP:
    • Windows: ipconfig /release → ipconfig /renew (or arp -d * in elevated cmd).
    • Linux: sudo ip neigh flush all (and reconnect).
• Sequence with other policies: firewall rules or VLANs may also affect reachability; test with simple ICMP + web first.
• For GPS tests, if no events appear, increase the time window in the log view and confirm GEO-FENCE Enable/Disable is ON and SAVE CHANGES was clicked.

Cleanup

• MAC Filtering: return to the team’s intended mode (ALLOW or DENY), disable if not needed, and remove test MACs.
• Geo-fence: remove test entries or restore real GPS coordinates and the correct radius; disable if not needed for POC handoff.