Block internal LAN devices from accessing internet Except URL



  • Hi there

    I have a group of tablets (alias tablets) ips 192.168.0.60-70.  I need these sites to access sitename.com.au (i have setup a sitename alias for that URL) However this sitename is actually an internally hosted IP 192.168.0.151.  Whenn other devices that are external to the LAN access sitename.com.au they can access it from anywhere, however when they are on the internal LAN the should be redirected to the internal IP.  Is this possible?  How would i go about doing it?

    any help is greatly appreciated





  • ok so ive setup DNS resolver and set up the host to point to the IP address.  When i ping the URL it shows me the internal IP.  Thanks for that

    Now is i tpossible to block all traffic from these devices (alias: tablets) from accessing anything other than this site?

    Ive tried a LAN firewall rule
    action: block
    interface: LAN
    source: tablets
    destination: internet

    the problem is that it doesnt seem to block anything.  I can access all websites on the internet.  I cant work out what im doing wrong :(


  • LAYER 8 Netgate

    destination: internet

    What is that really? There is no destination: internet in pfSense. Try any.

    You have to pass everything the tablets need, like DNS, access to that URL, etc, then block everything else.

    There is a default deny rule that will block everything unless explicitly passed. Simply deleting the default pass rule should be enough. Though I would probably prefer to have a reject rule there, not block, so the clients get an immediate RST instead of just hanging.



  • sorry about that
    destination: internet
    should really have been destination: WAN (i had just renamed WAN to internet).

    I want these devices to be able to access resources on the internal LAN, Nothing on the internet and hopefully that dns reslover will send the request for anything from sitename.com.au it will redirect it to the internal IP no issues.

    I have resetup the rule as
    action: BLOCK
    Source: alias(Tablets)
    destination: invert match - Singlehost or alias (sitename.com.au)

    It seems to be working.  The tablets cant access anything on the internet, they can access things on the LAN.  When i tried to access the sitename.com.au, it seemed to take forever to connect, so i changed the action to REJECT instead as you suggested and it works PERFECTLY!

    Thanks all for your help!

    Cheers


  • LAYER 8 Netgate

    Destination WAN is not the internet, it is the subnet of your WAN interface. Destination any is the internet.


Log in to reply