Basic IP blocking rule

  • Hi all,

    I thought I understood firewalls until now. I've been doing alot of reading and not quite sure what to do.

    I understand there is an implict rule to block all,  hence the "Default LAN -> any" rule that is created upon installation to allow all out of the LAN:

    Default LAN rule

    Allow Proto  Source  Port  Dest Port  GW  Sched  Desc

    *      LAN net   *      *      *      *   Default LAN -> any

    I've tried to make a rule to block a specific IP from accessing the internet, but none work. I'm thinking that if I want to block a specific IP, I need to create a rule that allows all the IP's I want (alias) excluding the IP I want blocked and then delete the Default LAN -> any rule. Is this correct?

    Allowed IP rule

    Allow Proto  Source             Port  Dest Port  GW  Sched  Desc

    *       Alias'(on LAN)      *      *      *      *       Allowed IP's(LAN) -> any

    I'd like to use a schedule to specifically allow this IP like so if I'm on the right track..

    Blocked IP LAN rule

    Allow Proto  Source      Port  Dest Port  GW  Sched        Desc

    *       IP              *      *      *      *   IP sched     Blocked IP(LAN) -> any

    Seems like adding a rule to the default rule would/should work but I just cant get that to work, even after rebooting and or resetting states.. appreciate some help, thanks


    PFSense version  1.2.1


    Internet <-> Cable Router <-> PFSense/DHCP/TrafficShaper <-> LAN (

  • You have the right thinking just remember that rules are executed in the order that they appear so the first rule that matches the condition will be executed. So if you want to block a specific IP from accessing the internet or what ever just make sure that it is above the rule that allows all traffic on that interface out.

    Good Luck.

  • Thanks for the reply.
    I got it to work for a few days then had some other unrelated problems that warranted a reinstall.. Glad I undertand the concept though..  ;)


  • hello,
    I'm also trying to restrict internet access to certain IPs, i dont think i'm creating the rule properly, i'm attaching a screenshot of my rule to block certain IPs.

    Any help will be appreciated

    PS: this rule is listed before the default rule that allows all of LAN to internet

    ![pfsense rule.JPG](/public/imported_attachments/1/pfsense rule.JPG)
    ![pfsense rule.JPG_thumb](/public/imported_attachments/1/pfsense rule.JPG_thumb)

  • got it… apparently it had to be TC/UDP not just TCP.

Log in to reply