Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block rules don't work at all

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CaseyE
      last edited by

      Hello,

      I'm trying to get a speed limiter set up per this post, but I am having trouble getting it to work. As a first step, I tried configuring the firewall to block ALL traffic to 192.168.10.24, but I can't even get that working; the device at that IP still streams video flawlessly.

      I created a Firewall rule under WAN to BLOCK ANY traffic with the destination IP 192.168.10.24 (screenshot attached). Why this isn't working?

      Thank you!
      pfsense-firewall.PNG
      pfsense-firewall.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        You need to show your LAN firewall rules..

        Firewall rules work fine when configured correctly. Remember that rules are from the top down. So if a rule that allows everything is above a rule that blocks the block rule will never work.

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • C
          CaseyE
          last edited by

          Here's my LAN rules.

          pfsense-LAN.PNG
          pfsense-LAN.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • chpalmerC
            chpalmer
            last edited by

            Your anti lockout rule at the top trumps the block rule below it.

            Triggering snowflakes one by one..
            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

            1 Reply Last reply Reply Quote 0
            • C
              CaseyE
              last edited by

              I disabled that, and traffic is still going to 192.168.10.24 just fine. Attached new screenshot with anti-lockout disabled.

              pfsense-LAN-antilockou.PNG
              pfsense-LAN-antilockou.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • chpalmerC
                chpalmer
                last edited by

                Did you kill your states after disabling that rule?

                Triggering snowflakes one by one..
                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  I'm trying to get a speed limiter set up per this post, but I am having trouble getting it to work. As a first step, I tried configuring the firewall to block ALL traffic to 192.168.10.24, but I can't even get that working; the device at that IP still streams video flawlessly.

                  What, exactly, is your LAN network IP address/netmask?

                  What, exactly, is the traffic you are trying to block?

                  Please be complete and specific.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    CaseyE
                    last edited by

                    @chpalmer:
                    I did this under Diagnostics > States > Reset States, then checked the box that says "Reset the firewall state table" and hit reset. The browser seems to hang after doing that, and so I refresh the page to get back to the web GUI. Once I get back in, all of the 192.168.10.24 connections re-establish themselves, despite the above firewall rules in place. Even if I filter for 192.168.10.24 and kill all the states that match this filter, they all come back after a few seconds. I've attached a screenshot of states page.

                    @Derelict:

                    My pfSense router is located at 192.168.10.1. I believe the netmask is /24 (as defined in Interfaces > LAN > Static IPv4 Configuration )
                    I have a wireless AP at 192.168.10.2, which operates in AP mode.
                    I have a wireless client (a Roku Device), at 192.168.10.24. This is connected through the AP.

                    I want to implement speed limiters to limit the bandwidth video streaming devices on my network can consume per this post, but I was having trouble getting it to work. In order to test the firewall rules, I decided to BLOCK ALL traffic to a specific device (the roku at 192.168.10.24), so I would at least know that the firewall rule was working correctly. Traffic is getting through just fine to 192.168.10.24, which means that something is wrong with my configuration.

                    states.PNG
                    states.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      You cannot block traffic TO a device using the rules on the interface it is connected to.

                      You block connections FROM that device on that interface.

                      Place a rule on LAN at the top for traffic sourced from 192.168.10.24/32. Place the desired limiters on that rule. In/Out are Upload/Download, respectively.

                      https://doc.pfsense.org/index.php/Firewall_Rule_Basics

                      https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • chpalmerC
                        chpalmer
                        last edited by

                        @Derelict:

                        You cannot block traffic TO a device using the rules on the interface it is connected to.

                        You block connections FROM that device on that interface.

                        Yikes..  I missed that little error in his rules..

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        1 Reply Last reply Reply Quote 0
                        • C
                          CaseyE
                          last edited by

                          Thank you, this worked!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.