Technical Tip: The local radio of FortiWiFi-6xE/4xF/6xF limitations for MAC address wildcard/MAC address range filtering

jprokic · ‎08-28-2023

Description

This article describes the limitations that the local radio of FortiWiFi-6xE/4xF/6xF has when configuring MAC address wildcard/MAC address range filters.

Scope

Currently, the local radio of FortiWiFi-6xE/4xF/6xF can support the MAC filter with a single mac address.

The local radio of FortiWiFi-6xE/4xF/6xF can operate as an Access Point, but there are some limitations because of the chipset and driver of it.

Solution

A new feature came along with the FortiOS 7.0.0 GA release.

A firewall address could be created as the MAC Address Type with Wildcard MAC addresses used as filters:

Policy & Objects -> Addresses and select 'Create New' -> Address.
Enter a name.
For Type, select Device (MAC Address).
In the MAC address field, enter the wildcard address. Select the + to add more addresses.

In the CLI, it is possible to configure it as follows:

config firewall address
edit "Demo-wildcard-mac-1"
set type mac
set macaddr "00:0c:29:b5:**:8d"
next
end

Due to the limitations mentioned above, the following CLI configuration used to impose MAC filtering to manipulate the number of devices that can connect to a specific SSID created on the FortiWiFi device itself, will nottake any effect:

Create an address group that contains the previously created firewall address MAC type:

config firewall addrgrp
edit "mac-grp-range"
set member "Demo-wildcard-mac-1"
next
end

Create a VAP (SSID) and apply an address group with a corresponding action to it:

config wireless-controller vap
edit "wifi"
set ssid "FOS_QA_Starr_61F_psk"
set schedule "always"
set mpsk-profile "wifi"
set dynamic-vlan enable
set address-group "mac-grp-range"
set address-group-policy deny
next
end

If the MAC filter feature with MAC address range or wildcard is required, it should be applied through the FortiAP.

FortiAP 7.2.0 and FortiAP-W2 7.2.0 support this feature.