Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block internet for one IP

    Scheduled Pinned Locked Moved
    NAT
    3
    6
    370
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsense57352
      last edited by

      Hello,

      Need some help with pfsense.
      I want to block internet access for one internal IP (static ip 192.168.11.11) that is on the main LAN.
      I've made this block rule in the section: "Firewall\Rules\LAN", but it is not working for some reason.

      Where i'm making mistake?

      Screenshot 2024-03-24 at 10.50.14.png

      T.Y.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @pfsense57352
        last edited by

        @pfsense57352 rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. You would need to put that block above your rule that allows internet for everything.

        Keep in mind once a state is created that allows an IP to go somewhere, that state will allow the traffic before the new block rule is evaluated.

        So if you want to block 192.168.11.1 from going to the internet, you would need to either kill all the states to the internet for that IP, or wait for them to time out before your rule will take effect.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        P 1 Reply Last reply Reply Quote 1
        • P
          pfsense57352 @johnpoz
          last edited by

          @johnpoz said in Block internet for one IP:

          Keep in mind once a state is created that allows an IP to go somewhere, that state will allow the traffic before the new block rule is evaluated.

          So if you want to block 192.168.11.1 from going to the internet, you would need to either kill all the states to the internet for that IP, or wait for them to time out before your rule will take effect.

          Thank you very much!! the problem indeed was the state.
          But then i have another question? How often states are updated (cleared)? I've created this rule ±12 hours ago. But it did not timed out. Only after i manually deleted state for specific zabbix port, blocking started to work.

          johnpozJ S 2 Replies Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @pfsense57352
            last edited by

            @pfsense57352 a state can stay open forever if traffic is flowing over it.. Only when traffic stop will the state finally time out. Normally what happens is the devices close the connection when they are done talking by sending fin..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            1 Reply Last reply Reply Quote 2
            • S
              SteveITS Rebel Alliance @pfsense57352
              last edited by

              @pfsense57352 An add on to what John said: https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              P 1 Reply Last reply Reply Quote 0
              • P
                pfsense57352 @SteveITS
                last edited by

                @SteveITS said in Block internet for one IP:

                @pfsense57352 An add on to what John said: https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied

                Thank you!

                I've started my journey with pfsense yesterday, so i'm brand new with this router/firewall. But i already like it much better than mikrotik.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post