How do I block traffic to a custom list of IP addresses, ranges, and domains?

swapjim · Sep 29, 2017, 2:04 PM

I have a list of WAN IP addresses, IP ranges, and domains and I want to prevent computers inside the LAN to reach those.

I tried creating an alias from Firewall > Aliases but I can't figure out how to feed that alias to from Firewall > Rules.

I tried pfBlockerNG but it asks me to give it a URL for the list. Isn't there a way I can paste the list in the web UI?

KOM · Sep 29, 2017, 2:16 PM

For your IP addresses and ranges, you can create an alias and then use that alias as the destination in a block rule you put on LAN. For domains, you will need an URL filter like pfBlocker, squid/squidguard, snort or suricata.

swapjim · Oct 3, 2017, 5:04 PM

I was able to block IP ranges with pfBlockerNG: Firewall > pfBlockerNG > IPv4 > (add), at the bottom of the page there is a "box" IPv4 Custom List where I pasted the IPs and IP ranges.

However, I want to see how I can do it using your way.

So I went to Firewall > Aliases and created my alias. Then went to Firewall > Rules > LAN and used these options:

Action: block
Source: single host or alias "test_google"

(test_google is the alias I created)

Then clicked at Apply Changes and saw the message "The settings have been applied. The firewall rules are now reloading in the background."

But that didn't worked. I was able to ping the IP in the alias test_google. When I used the pfBlockerNG I couldn't ping it.

What did I do wrong?

KOM · Oct 3, 2017, 6:19 PM

I assumed you were trying to block LAN clients from getting out in general, when you were trying to block LAN clients from accessing particular IP space. You can't use aliases for domains that resolve to many IP addresses unless you know their ENTIRE netspace. To block those like Google, Facebook etc, you need a domain blocker like pfBlockerNG or the others I listed.

swapjim · Oct 3, 2017, 11:13 PM

Can I use aliases to block IPs and IP ranges (no domains)? If yes, then how?

In my attempt I only tried to block a single IP.

vmaxx · Oct 4, 2017, 2:06 AM

You cam block a range the same way you do a single IP (firewall -> aliases -> add): An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated. This is with the type staying as host(s). Just keep hitting the Add Host button to enter a new IP / Range until you are done. You can also change the type to Network(s), then an IP range such as 192.168.1.1-192.168.1.254 may also be entered and a list of CIDR networks will be derived to fill the range.

If you have a list of IPs to enter you can also hit the Import button, then paste the list into the aliases to import box. The list may contain IP addresses, with or without CIDR prefix, IP ranges.

Then in your firewall rule under destination instead of entering the IP, enter the alias name.

swapjim · Oct 4, 2017, 5:26 PM

I did all that and it doesn't work. I'm attaching screenshots with the alias and the rule.

luckman212 · Oct 4, 2017, 5:28 PM

You made a rule that has SOURCE and DESTINATION as the same IP? Uhh… ?

KOM · Oct 4, 2017, 5:48 PM

Put the rule on LAN, not WAN. Source should be * or specific IPs on your LAN. Destination is your alias.

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

swapjim · Oct 8, 2017, 10:40 PM

@luckman212:

You made a rule that has SOURCE and DESTINATION as the same IP? Uhh… ?

Yeah, I thought I would be blocking inbound and outbound traffic to that IP. Then I saw this:

@KOM:

Put the rule on LAN, not WAN. Source should be * or specific IPs on your LAN. Destination is your alias.

And I realized that if I want to block inbound traffic I need to place a second rule in WAN.

Thanks to everybody who responded!