Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't block IPs - must be missing something

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 384 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zululander
      last edited by Zululander

      My laptop in on the 192.168.10.0 subnet (LAN). I have put in a pfsense firewall rule to block access to 192.168.10.99. Yet I can still ping and browse to it. Am I missing something?

      8c8460e8-ac34-4ba1-b3b1-afe850216f40-WhatsApp Image 2025-01-13 at 15.19.25_5bd1fbae.jpg

      I have no floating rules.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • Z
        Zululander
        last edited by

        Enabled logging on the only allow rule (except for the Anti-lockout rule) and can't even see the allow traffic

        873cadf8-5093-4b89-abf6-22cc3306cc51-image.png

        1 Reply Last reply Reply Quote 0
        • R
          RJ
          last edited by

          @Zululander said in Can't block IPs - must be missing something:

          192.168.10.99

          It looks like 192.168.10.99 is on the same subnet as your laptop. So traffic not going trough the router/firewall.

          1 Reply Last reply Reply Quote 1
          • bmeeksB
            bmeeks @Zululander
            last edited by

            @Zululander said in Can't block IPs - must be missing something:

            My laptop in on the 192.168.10.0 subnet (LAN). I have put in a pfsense firewall rule to block access to 192.168.10.99. Yet I can still ping and browse to it. Am I missing something?

            8c8460e8-ac34-4ba1-b3b1-afe850216f40-WhatsApp Image 2025-01-13 at 15.19.25_5bd1fbae.jpg

            I have no floating rules.

            Traffic on the same subnet never needs to traverse the firewall. Those two devices simply directly contact each other through the Ethernet switch's backplane (port-to-port). Each client sees that the address of the other machine is in the same IP netblock, so they simply issue an ARP to ask which MAC address has IP address 192.168.10.xxx and then send packets directly to each other bypassing the firewall.

            The firewall never sees the traffic at all since it will not be directed at the firewall's MAC address. The only time the firewall would get the traffic is if the destination IP address was in a different subnet and the traffic needs to be "routed" to the other network. When clients need to send data to an IP address that is not within their subnet, they hand that traffic off to their designated default gateway. In your case, that would be the firewall most likely.

            1 Reply Last reply Reply Quote 0
            • Z
              Zululander
              last edited by

              Thanks all; this makes sense.

              I will put the restricted IPs into another VLAN and on their own subnet and go from there :)

              Reading online I could apparently achieve same subnet blocking if I used pFsense in Bridge mode but VLANning seems to make more sense to me.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @Zululander
                last edited by

                @Zululander said in Can't block IPs - must be missing something:

                Reading online I could apparently achieve same subnet blocking if I used pFsense in Bridge mode but VLANning seems to make more sense to me.

                Generally the use of bridges should be avoided if at all possible. They can introduce other weird issues besides being a bit of a CPU burden in high traffic conditions. A dedicated Ethernet switch can do the job much better. Use VLANs or some other dedicated interface port on the firewall if you want to segregate traffic.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.