Blocking Internet access to specific hosts



  • I have done a lot of searching on this subject but it seems like the suggested approaches are not clear-cut: some seem to have only worked with previous versions of pfSense, others are suboptimal implementations, and some just plain don't work. What I am trying to do is something of which all other router platforms I've used have simple implementations: blocking Internet access to specific hosts on a schedule.

    What I've tried so far is to set a firewall rule on the WAN interface to block all IPv4 traffic (any protocol) to a single host, specified by IP address, where I entered the IP address of my host, but even after saving, applying and moving the rule to the top, my computer still has Internet access. Is that the right approach, and if so, do I also have to create another rule (something on the LAN side, or with NAT)? I know there is a hundred ways to skin the proverbial cat, but I'd like an elegant but simple approach. Thank you!

    Kamen



  • Sorry about this: it was actually quite easy, I just had the wrong IP address selected…
    Now, if there only was an easy way to designate the host by something a little more inflexible than the IP address... Like a MAC address or hostname, so I don't have to assign a static IP to it.

    Kamen



  • If this is your home setup why not go with static mapping on your interfaces DHCP server.
    Go to DHCP leases and hit the add static mapping, then enter your chosen IP and description and your done. With Static mapping you have better control of everything in the future. It reinforces your IP rules and you know every machine in detail. A lot of extra perks for the amount of time it takes. Leave the clients as is,  they are fine at auto DHCP.
    With kids I found it handy because even with wireless access creds their friends still had to come to me to get out.
    DHCP was ignoring them or they were denied.
    Firewall Aliases also can use FQDN's for hosts or IP's. Make an Alias with the hosts you want to block. Eazy peazy. ;)



  • @webtyro:

    If this is your home setup why not go with static mapping on your interfaces DHCP server.
    Go to DHCP leases and hit the add static mapping, then enter your chosen IP and description and your done. With Static mapping you have better control of everything in the future. It reinforces your IP rules and you know every machine in detail. A lot of extra perks for the amount of time it takes. Leave the clients as is,  they are fine at auto DHCP.
    With kids I found it handy because even with wireless access creds their friends still had to come to me to get out.
    DHCP was ignoring them or they were denied.
    Firewall Aliases also can use FQDN's for hosts or IP's. Make an Alias with the hosts you want to block. Eazy peazy. ;)

    Thanks. I'll consider static DHCP, but I have way too many devices to track them all, and I change routers too often to be doing that all the time. Yes, this is at my home and the blocking is for kids, but one reason I'm trying pfSense is because I'd like to have that deployed at work. Mostly for its VPN capabilities.

    I tried setting a hostname to an alias and using that in the rule, but it did not work. I tried just the hostname that shows up under "DHCP leases" and also fully qualified it with the domain (the one that appears in the address bar of the router): hostname.domain, but it is not working. It seems like the FQDN the documentation is talking about is of external Internet hosts.

    Overall, pfSense is very frustrating - it requires a lot of tweaking and trial-and-error. It's something you need to commit to in order to be able to use it right (e.g., never touch the quirky and clunky UI and just edit configurations and scripts), and I'm not sure it is good enough for me to make that commitment. Especially after what I thought its main advantage would be - performance - proved to be lacking.

    Kamen

    P.S. By the way, I just did some more testing and it seems like my firewall LAN rule based on a hostname alias would work but only after the states have been reset, not automatically, as the schedule kicks in. This defeats the purpose of the whole exercise. So, back to square one: is there a solution to this block-on-a-schedule thing, which all other routers can so easily do?
    K.



  • Schedule is discussed here. No sense going over again.
    https://forum.pfsense.org/index.php?topic=54071.0



  • @webtyro:

    Schedule is discussed here. No sense going over again.
    https://forum.pfsense.org/index.php?topic=54071.0

    To recap that thread: 4 pages of mostly people complaining that whatever they tried did not work, mixed with some advice that is often later refuted as wrong, all starting with older versions of pfSense, where things worked one way, but later they worked in another way; all this made worse by serious lack of documentation. I'm sure one could find some documentation somewhere and get help somehow, but it seem to be quite a pain. The only ting I got from that thread (and others like it) is that I may need to have an unconditional "block" rule under the scheduled "pass" rule. I'll try that next.
    Kamen


  • Netgate

    In pfSense you pass on a schedule. You can also block on a schedule but when the scheduled time fires, existing states will not be killed.

    As soon as the pass rule on a schedule followed by a block rule is in place there will be no states to kill because they will have not been created because there will be the block rule when the schedule is not active. Manually killing the states is only required on the initial creation of the schedule to get rid of any states that might already exist.



  • @Kamen:

    @webtyro:

    Schedule is discussed here. No sense going over again.
    https://forum.pfsense.org/index.php?topic=54071.0

    The only ting I got from that thread (and others like it) is that I may need to have an unconditional "block" rule under the scheduled "pass" rule. I'll try that next.
    Kamen

    Yep! That is why I posted it. Not for the drama.



  • @webtyro:

    @Kamen:

    @webtyro:

    Schedule is discussed here. No sense going over again.
    https://forum.pfsense.org/index.php?topic=54071.0

    The only ting I got from that thread (and others like it) is that I may need to have an unconditional "block" rule under the scheduled "pass" rule. I'll try that next.
    Kamen

    Yep! That is why I posted it. Not for the drama.

    I appreciate the "teaching" aspect of it, but if a single, two-line post was the gist of it, I would have appreciated it even more if you could have recapped it for me (like Derelict did), or at least pointed straight to it, rather than making me read through a hundred useless posts.
    Kamen



  • Yah. Kind of mean to send you down that rabbit hole. Do you think being new to PfSense and trash talking a program you know zilch about to guys who appreciate it for what it is will help.
    Your attitude above my linked post did bring out my impish tendency.  ::)
    If you prefer the direct route I could have mentioned there is a book and RTFM!



  • @webtyro:

    Yah. Kind of mean to send you down that rabbit hole. Do you think being new to PfSense and trash talking a program you know zilch about to guys who appreciate it for what it is will help.
    Your attitude above my linked post did bring out my impish tendency.  ::)
    If you prefer the direct route I could have mentioned there is a book and RTFM!

    I've never trash talked; it was constructive criticism, at best. I may be "new" to pfSense but not new to the world of IT and CS, in general. I've been as nice as possible. Same cannot be said about you. And there isn't a good M to be RTF-ed, to begin with - that's where I started; one of the many problems. As for my attitude, it is that I always help with what I can, wherever I can. And if I can't, I just don't say anything.
    Kamen



  • Derelict has a link to the manual in his reply. It is well worth it and helps support the free firewall.
    and https://doc.pfsense.org/index.php/Main_Page may have more info.
    Not nice? hmm. maybe I am getting snarky. Make you a deal. I will work on being a better human being if you hold off on the criticism until you have more time with PfSense.
    After all it is free and the Dev's would appreciate our restraint. They do seem to be a hard working group.



  • @webtyro:

    Derelict has a link to the manual in his reply. It is well worth it and helps support the free firewall.
    and https://doc.pfsense.org/index.php/Main_Page may have more info.

    Thank you! I noticed that, but it is $25, so I will consider buying it in case I determine that I will end up adopting the pfSense solution (I'm in the evaluation stage now). And I have been reading the wiki-manual, but it is quite incomplete. It's always my karma: whenever I need something, it is never among the routine cases… :-)

    Kamen

    P.S. I see you made an edit. :-)
    @webtyro:

    […]
    Not nice? hmm. maybe I am getting snarky. Make you a deal. I will work on being a better human being if you hold off on the criticism until you have more time with PfSense.
    After all it is free and the Dev's would appreciate our restraint. They do seem to be a hard working group.

    All I can say is: I am a developer myself. I have created and offered software for free (one of the earliest OBD-II Windows software). I don't know if the pfSense Devs are being paid, but in my professional work, I look for criticism so that I can improve it (honestly!) I may be a bit biased because my software is for industrial use (automation) and we just have to have the best quality, but this is just how I am. If a Dev comes and asks me "hey, why do you think pfSense is lacking in performance", I'll come back with a solid presentation, with test results (which I already have), showing my experience - all in the hopes that they'll investigate and either make improvements or assert the limitation I observed.
    K.



  • Some are paid some are not. Any help from you to the project would be appreciated even from me. Beta testing even speeds things along. Real bug finds are always welcome.
    Well hope you settle in with PfSense. I have not found any better program than this for what it is capable of and cost.



  • @webtyro:

    Some are paid some are not. Any help from you to the project would be appreciated even from me. Beta testing even speeds things along. Real bug finds are always welcome.
    Well hope you settle in with PfSense. I have not found any better program than this for what it is capable of and cost.

    Then, I hope I hear from the developers. I already caused a bug report to be filed (even though I wasn't the one submitting it) with my very first post here. The only problem with that is that my time (and brain capacity) is very precious and the learning curve is a very important consideration in choosing my tools. I'm sure pfSense is very powerful; hell, pf is even more powerful, but you need to "make sense" of it, right? :-)
    Kamen