Prevent internet access to some devices



  • New to pfsense!

    JJust bought a QOTOM Mini PC Q190G4 (4 lan ports + wifi).
    I managed to setup pfsense, created a bridge (3ports + wifi = LAN), setup DHCP (ipv4 only). DHCP only allows registered clients (Deny unknown clients  + Static ARP), so I assume no one can get into my network, unless registered (MAC + IP assignment).
    I have NOT created any rules on WAN or LAN (just default). I haven't installed any additional packages.
    The first LAN port is connected to a switch (netgear GS108Tv2), the second LAN port is also connected to a switch (netgear GS108Tv2), the third LAN port is connected to a raspberry pi (running pihole).
    DNS points (system/general setup) to the IP of the raspberry pi (needed to disable "DNS rebind check" on system/advanced/admin access for this to work)
    Everything seems to work, so I assumed: so far so good.

    Due to physical limitations, the devices I want to deny internet access (prevent call home) are distributed over the two switches (in different physical locations).
    Since I have assigned all static DHCP addresses, the IP addresses of the devices never change. Using "firewall/aliases", I've created an alias, with all the hosts in it, by IP address (total 8 hosts)
    I want to be able to connect to these devices from my LAN only, so I assumed I needed to create a floating rule, I looks like this:
    action: blocked
    interface: WAN
    direction: any
    address family: IPv4+IPv6
    protocol: any
    source: single host or alias: LanOnlyDevices (this is the alias with all the hosts)
    destination: any

    To test the rule, I added the IP address of one of my working computers, expecting to not be able to browse, but the rule doesn't seem to have any effect.

    What am I doing wrong?



  • It's recommended to select the inbound interface rather the WAN. You may select multiple interfaces in floating rules by pressing down the shift key. So you can select all interfaces the concerned hosts belong to in just one rule.
    Also you have to check the "quick" option to prevent that that further rules are also applied.



  • I can't get the floating rule to perform as I want, that is, access to all devices on the LAN from any DEVICE and prevent some devices to access the internet.
    I came up with this solution, this seems to work, but I wonder if it would be an "approved solution".
    Please have a look, feel free to comment.
    I changed the default rules on the LAN from allow to block and added two rules.
    The alias IPv4LanOnlyDevices contains the IP addresses that are NOT allowed to access the internet. Notice the ! (NOT).

    There should be an png attachment, not quite sure it will show up in the post (new to this forum, and no idea how to just drag and drop images into a post)



  • Rebel Alliance Global Moderator

    What are those rules suppose to do??

    source lan net dest lan net is pointless an no time would a lan net device talk to pfsense to talk to another lan device.

    What exactly is ! (not) lan only devices suppose to be??  Why would devices that are not on your lan network be sending traffic to your lan interface???  Are you running multiple layer 3 networks on the same layer 2??  Do you have some downstream router in play?

    What are these floating rules you have created???



  • As I initially explained, I 've got a 4 (four) interfaces hardware device + wifi. I've bridged all of the interfaces (exept WAN), see screenshot. I then assigned the bridge to LAN (see screenshot).
    My security is based on the fact that I allow only registered DHCP clients (Deny unknown clients  + Static ARP).
    The devices are on different 2 (two) switches, the switches are connected to the bridge, so traffic from a device connected to the first switch will always go trough the bridge (LAN incoming) to reach a device on the second switch.
    I assume (that is how I understand it) that incoming traffic on the LAN (= BRIDGE) will be evaluated (rules)
    The first rule (Lan net to Lan net) will allow all devices on my internal network to communicate.
    The second rule (! IPv4LanOnly devices) will allow all devices NOT in the list (alias) to go everywhere (meaning also the internet).
    The third rule (the one I changed from default allow to block) will block the devices in the IPv4LanOnlyDevices list (alias)
    The fourth rule is for IPv6 (already changed that from default allow to block), but I haven't got IPv6 (yet), I still have a docsisv2 modem (from my ISP), not IPv6 capable.

    There are no rules on any of the other interfaces, apart from the default rules on the WAN interface. The floating rule that I mentioned in the initial post has been removed, as I could not get it to work.

    The goal here is to keep devices on my local network from calling home. I've read somewhere that some of these devices have a hard coded resolver, so DNS blocking is not an option.

    It may all look strange, but it is working, I just wonder if there is a better (approved) solution for this.





  • Rebel Alliance Global Moderator

    " I've bridged all of the interfaces (exept WAN)"

    Yeah good luck with that - out of here.. You can not fix stupid, and I don't want to spend any time trying..  You want switch ports getting a freaking switch.

    "a hard coded resolver, so DNS blocking is not an option."

    Huh.. That would be exactly how you block a resolver… rolleyes..

    "It may all look strange, but it is working,"

    Doing what exactly??  I have no freaking idea..



  • If there is a better way to do it, I'm happy to learn, but it is what I found on the internet.

    If you could point me to a setup that is not "stupid", that would be much appreciated.

    Thank you for your time and effort.


  • Rebel Alliance Global Moderator

    "but it is what I found on the internet."

    Fing where???  Not here that is for freaking sure..

    For starters if you need switch ports get a switch!!  2nd please explain what you want to do and be happy to point out a non stupid way to accomplish it.. 3rd - you want all your devices on the same layer 2???  All your wifi??  You don't want your wifi and guest wifi?  All your iot devices you want all on the same layer2?  What exactly do you want from phoning home??  What sort of devices?  Or is it software?

    I see 4 interfaces.. That you would bridge them is just nuts..  Those make great network interfaces for your different network segments/vlans - they make a HORRIBLE switch!!!

    How many devices do you have on your network?  Wired and wireless?



  • I found the instructions to create the bridge here:https://forum.pfsense.org/index.php?topic=48947.0, entry of stephenw10.

    The devices are a mixture of internet capable things (television, phone, PS3, WiiU (wifi only), raspberry pi running raspbian, windows 10 computers, 8 port netgear switches (2),  network printer, dreambox, …)

    The switches are in different physical locations, so are the devices.

    I want to be able to get to any device from any (capable) device. Example: I want to be able to use DLNA on the television over the network, but I don't want the television to be able to get to the internet. I obviously want to be able to print on the network printer, but I don't want the printer to be able to call home. I want to be able to manage my switches, but don't want them to get firmware updates from the internet.
    The general idea is simply to prevent some devices to connect to the internet, but they need to be accessible from the LAN.

    Since the pfsense box has 4 ports (one obviously used as WAN), I want to connect the switches (2) directly to the pfsense box. I just connected the raspberry pi to the remaining port, as I needed the extra port on the switch.

    Currently I'm using a single class C private network 192.168.x.0/24, not using VLANs.


  • Banned

    @jpgsense251:

    Currently I'm using a single class C private network 192.168.x.0/32

    Huh? That's a single IP.


  • Rebel Alliance Global Moderator

    "but don't want them to get firmware updates from the internet."

    Never in the some 35 years working with computers - before there was even "switches" have I see a switch that would on it own upgrade its firmware..

    "I want to be able to get to any device from any (capable) device. "

    That has nothing to do with the devices having to be on the same layer 2.. All that means is you have to allow the ports/protocols you want device A to use to talk to device B on a different network/segment in the firewall (pfsense).

    "I want to be able to use DLNA on the television over the network"

    So every single device of yours needs to use DLNA off your TV.. For example your printer?  Or you want your TV to use dlna to find where you serve your movies/videos/music off of?  If so what is that - why can that device not just be on the same L2/L3 as your TV?  DLNA discovery would normally be on port 1900.. (SSDP) and is multicast so yes this could be a problem across segments.. The avahi package could prob help with that.

    Design of what network segments make sense, what devices best fit can be a challenge for those that don't really understand networking or the protocols in use to make everything work..  Putting everything on the same network is the simple way - but it sure and the F is not secure way to go about it..

    You clearly have a slow internet connection if your still on docsis 2.. And if you want everything on the same network you have Zero use for more than 1 interface on pfsense for your "lan" network..  Trying to create a bridge to leverage a NIC in pfsense is going to be slower than a switch port, and more complicated.  For someone that doesn't even know what a IP address or network mask actually it is (from your example of what network your using 192.168.x.0/32) This is not what I would suggest.

    So plug in your 2nd switch to your 1st switch and your first switch into pfsense LAN..  Or get another switch, preferred smart so you can do vlans at some future date - plug both your dumb switches into it and it into pfsense lan port.

    As to allowing or blocking devices to the internet - this is simple firewall rules.  First your going to want to use dhcp reservations for your devices so they always have the same IP, or set up the IP on them static.. So for example if you do not want your TV to get to the internet a simple rule blocking your TVs IP would all that would be required.  If you have multiple devices you don't want to use the internet..  You could create a alias and use that in your firewall rules and put all the devices IP in that alias.

    Or simpler solution if your devices don't need internet access, and your going to be on the same L2/L3 network - then just don't give them a gateway.. Ie pfsense IP and they could never go anywhere other than the local network for anything!!



  • @johnpoz:

    Never in the some 35 years working with computers - before there was even "switches" have I see a switch that would on it own upgrade its firmware..

    I agree and Netgear GS108Tv2 for sure doesn't.

    Or get another switch, preferred smart so you can do vlans at some future date - plug both your dumb switches into it and it into pfsense lan port.

    Netgear GS108Tv2 are smart and VLAN-capable.


  • Rebel Alliance Global Moderator

    Well that makes it good for future use - since he seems to want everything on the same layer 2 those smart switches are not doing much ;)