block internet

nick.loenders

Hi,

I want to put 1 department of computers in a seperate environment so the users can login with their AAD Office365 emailadres as login to the computer and intune will handle the rest.
Windows updates must work as well.
But the users are not allowed to surf the internet at all.

Is this possible to do it using a vlan or something else??

stephenw10

Depends how those machines connect to those services.

If that is all local hosts or over VPN to Azure it's relatively easy.

If it's directly to random and constantly changing groups of IPs then it's far more difficult.

Steve

nick.loenders

@stephenw10 said in block internet:

Depends how those machines connect to those services.
If that is all local hosts or over VPN to Azure it's relatively easy.
If it's directly to random and constantly changing groups of IPs then it's far more difficult.
Steve

Hi, they are all connected locally on the same LAN. The computers are connected to intune, so the users can login with their Office365 logins.

Of course on the same pfsense there are also computers connected that CAN do everything as normal, but these will have another dhcp range and probably another VLAN as well.

stephenw10

If you put them in a separate VLAN it will be much easier to control their traffic however you have it configured. I would do that.
If you want to block everything but allow access to that cloud login though you're going to need someway of defining that. If that's not over a VPN or some local proxy you will need a source of subnets to allow. That might be an ASN or maybe via a URL alias if MS publish something.

Steve

nick.loenders

@stephenw10 yes, but this is all some nice theory you are writing, but no specific details.....

I did read something that I could block ALL 80and 443 traffic in the rules.
And then create virtual ips/aliasses and allow those.

Is that what you mean?

And yes, then I will have to find all the ip's of microsoft....
such as https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide which is quite a list :(

You think it might also be possible to add a non existing proxyaddress to the browser so browsing is not possible, but windows CAN access internet??

stephenw10

Yes, exactly. You could allow access only to an alias containing a list of known MS IPs.

Then block access to everything else on port 80 and 443. Or just on all ports if you need to.

You can probably use either a URL alias or via pfBlocker to create that alias and update it automatically.
Something like this: https://forum.netgate.com/topic/137691/office365-ip-list

Steve

mattbrown

This post is deleted!