Block internal LAN devices from accessing internet Except URL

Jakeyg

Hi there

I have a group of tablets (alias tablets) ips 192.168.0.60-70.  I need these sites to access sitename.com.au (i have setup a sitename alias for that URL) However this sitename is actually an internally hosted IP 192.168.0.151.  Whenn other devices that are external to the LAN access sitename.com.au they can access it from anywhere, however when they are on the internal LAN the should be redirected to the internal IP.  Is this possible?  How would i go about doing it?

any help is greatly appreciated

KOM

You can do it via NAT Reflection, or preferably Split DNS.

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Jakeyg

ok so ive setup DNS resolver and set up the host to point to the IP address.  When i ping the URL it shows me the internal IP.  Thanks for that

Now is i tpossible to block all traffic from these devices (alias: tablets) from accessing anything other than this site?

Ive tried a LAN firewall rule
action: block
interface: LAN
source: tablets
destination: internet

the problem is that it doesnt seem to block anything.  I can access all websites on the internet.  I cant work out what im doing wrong :(

Derelict

destination: internet

What is that really? There is no destination: internet in pfSense. Try any.

You have to pass everything the tablets need, like DNS, access to that URL, etc, then block everything else.

There is a default deny rule that will block everything unless explicitly passed. Simply deleting the default pass rule should be enough. Though I would probably prefer to have a reject rule there, not block, so the clients get an immediate RST instead of just hanging.

Jakeyg

sorry about that
destination: internet
should really have been destination: WAN (i had just renamed WAN to internet).

I want these devices to be able to access resources on the internal LAN, Nothing on the internet and hopefully that dns reslover will send the request for anything from sitename.com.au it will redirect it to the internal IP no issues.

I have resetup the rule as
action: BLOCK
Source: alias(Tablets)
destination: invert match - Singlehost or alias (sitename.com.au)

It seems to be working.  The tablets cant access anything on the internet, they can access things on the LAN.  When i tried to access the sitename.com.au, it seemed to take forever to connect, so i changed the action to REJECT instead as you suggested and it works PERFECTLY!

Thanks all for your help!

Cheers

Derelict

Destination WAN is not the internet, it is the subnet of your WAN interface. Destination any is the internet.