Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block internal LAN devices from accessing internet Except URL

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 928 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      Jakeyg
      last edited by

      Hi there

      I have a group of tablets (alias tablets) ips 192.168.0.60-70.  I need these sites to access sitename.com.au (i have setup a sitename alias for that URL) However this sitename is actually an internally hosted IP 192.168.0.151.  Whenn other devices that are external to the LAN access sitename.com.au they can access it from anywhere, however when they are on the internal LAN the should be redirected to the internal IP.  Is this possible?  How would i go about doing it?

      any help is greatly appreciated

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        You can do it via NAT Reflection, or preferably Split DNS.

        https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

        1 Reply Last reply Reply Quote 0
        • J Offline
          Jakeyg
          last edited by

          ok so ive setup DNS resolver and set up the host to point to the IP address.  When i ping the URL it shows me the internal IP.  Thanks for that

          Now is i tpossible to block all traffic from these devices (alias: tablets) from accessing anything other than this site?

          Ive tried a LAN firewall rule
          action: block
          interface: LAN
          source: tablets
          destination: internet

          the problem is that it doesnt seem to block anything.  I can access all websites on the internet.  I cant work out what im doing wrong :(

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            destination: internet

            What is that really? There is no destination: internet in pfSense. Try any.

            You have to pass everything the tablets need, like DNS, access to that URL, etc, then block everything else.

            There is a default deny rule that will block everything unless explicitly passed. Simply deleting the default pass rule should be enough. Though I would probably prefer to have a reject rule there, not block, so the clients get an immediate RST instead of just hanging.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J Offline
              Jakeyg
              last edited by

              sorry about that
              destination: internet
              should really have been destination: WAN (i had just renamed WAN to internet).

              I want these devices to be able to access resources on the internal LAN, Nothing on the internet and hopefully that dns reslover will send the request for anything from sitename.com.au it will redirect it to the internal IP no issues.

              I have resetup the rule as
              action: BLOCK
              Source: alias(Tablets)
              destination: invert match - Singlehost or alias (sitename.com.au)

              It seems to be working.  The tablets cant access anything on the internet, they can access things on the LAN.  When i tried to access the sitename.com.au, it seemed to take forever to connect, so i changed the action to REJECT instead as you suggested and it works PERFECTLY!

              Thanks all for your help!

              Cheers

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Destination WAN is not the internet, it is the subnet of your WAN interface. Destination any is the internet.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.