Block All devices on LAN going through Pf-sense expect certain devices



  • Due to recent Ransom-Ware attacks I am wanting to setup a firewall between my QNAP and the rest of our LAN.

    I want to have set it up in a way where Only my backup servers can access the QNAP through the firewall. I currently have one pf sense setup to for external purposes but I am wanting to setup a basic internal firewall just to block all devices accessing our QNAP.

    Looking into it I know I can use pf sense to filter out the odd device if it is trying to talk to said QNAP IP but is there any way to do this for all devices but put exceptions in there for specific devices.

    If there are any better ways of this please let me know as I am not the best with Pfsense.



  • Add the devices which should be allowed to access the QNAP to an alias.  Firewall > Aliases > IP
    Then add a block rule to the LAN interface, set protocol to any. At source check "Invert match.", select "Single host or alias" and enter the alias name at the right side. At destination also select "Single host or alias" and enter the QNAP IP. Set a description and save it and put the rule to the top of the LAN rule set.



  • That is brilliant, I will take a look into this.

    Thanks



  • One other question could I schedule it to block all access at certain times of day?



  • Yes, of course, but not with that rule I suggested above.
    A block rule isn't suitable for scedules, cause it doesn't kill existing connections when it takes effect. Only new connections will be blocked.
    For scheduling use a pass rule.

    There are different way to accomplish this, the best depends on your other rule. However, this should work:
    Edit the block rule you've added first, uncheck "Invert match." at source and set it to "any", modifiy the description if you want and save it. Then add a pass rule to the top of the LAN rule set, set the protocol to fit your needs (TCP only will be fine, I fink), at soucre select "Single host or alias" and enter the alias name for the permitted hosts. Set your schedule in the advanced options and a description.


Log in to reply