Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is this Right?

    Firewalling
    3
    4
    662
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      Ximulate
      last edited by

      Please let me know if I got this right, or what could be done better. Here's what I'm trying to do:

      1. Block internet access for select devices on the LAN. I've created an alias for those devices (cls_NoInternet). Alternatively , I could create an alias of devices that need internet access and block all others (it doesn't matter to me which approach. whatever works best).

      2. Devices with internet access should only be able to access destinations in approved regions. Using pfBlockerNG, I've created an "Alias Permit" and the corresponding firewall rule below.

      3. Also using the DNSBL feature of pfBlockerNG with various block lists. So, I've created rules to block all port 53 requests except the pfSense DNS resolver.

      Here's what I've done (screenshot):

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        Nope

        On the LAN interface your source would be LAN Net

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Dest of lan net from lan is pointless..

          So you want your device on lan to only go to places that are in NAmerica.. Wow that is going to limit your internet ;)

          The only reason to change your source to any on lan would be if you have downstream networks using the lan as a transit.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • X
            Ximulate
            last edited by

            Thank you. Does this look better?

            This particular network isn't for general internet browsing, so NA is fine for starters. I may tweak the allowed destinations over time, and or install snort.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.