Block access from lan to an internet ip
-
Your rules are correct.
Add just one IP address that you want to block at the top of the lan, use IP 178.32.68.70
Make sure you get a sucessful ping from 178.32.68.70 before applying the rule.Reboot
Now try to ping 178.32.68.70
Results?
-
Stranger still is the fact that when I ping that site I get no reply.
-
Do you have the Squid package installed?
Stranger still is the fact that when I ping that site I get no reply.
I can't ping 178.32.68.70 either, so they must have disabled replies.
-
Hmm. That IP address is not responding for me either. So that's not a good example.
You see where I was getting at though. Narrow the issue down a little more. Try to block a single address. Don't forget to reboot.
Then go from there.
-
Hmm. That IP address is not responding for me either. So that's not a good example.
Well, isn't it a little odd that bilbus says he can ping it?
-
That was a day ago though, the host may be down.
-
ya i cant ping it anymore now either from home or work. It was a virus infected webserver trying to infect users with adware. Guess they were kicked offline.
I added a few reliable test hosts to my blocked file list, and i can still ping them.
I have these addresses on my block list
178.32.68.66/32, 178.32.68.0/24, 188.124.5.162/24, 198.6.1.2/32
the 198.6.1.2 is a UUnet dns server so its pingable and always online.
No matter what i do i can not get these rules to stick. I am able to do dmz to lan rules just fine.
Only proxy i have installed is havp
-
hmm. I will test when I get home today and make a step by step.
-
anyone have any ideas?
-
You are trying the ping from a LAN host, not the pfSense host?
Also, an answer to@Rezin:
Do you have the Squid package installed?
would be useful.
-
no squid.
Ya i am pinging from my desktop on the lan
-
in my dealings blocking an entire subnet you have to make sure that you rules are in the correct place in the rules list (top before allow rules). secondly if you restart your pfsense by no mean asume that clients will get updated automatically unless directly connected. ipconfig /release, /flushdns, /renew or your Os' equivalent.
Also blocking the route to the subnet seems to prevent connects better.(IMHO)
so that would look like* Blocked_sites * LAN net * *
* Blocked_sites * WAN net * *Try blocking the remote DNS address if possible
