• Please let me know if I got this right, or what could be done better. Here's what I'm trying to do:

    1. Block internet access for select devices on the LAN. I've created an alias for those devices (cls_NoInternet). Alternatively , I could create an alias of devices that need internet access and block all others (it doesn't matter to me which approach. whatever works best).

    2. Devices with internet access should only be able to access destinations in approved regions. Using pfBlockerNG, I've created an "Alias Permit" and the corresponding firewall rule below.

    3. Also using the DNSBL feature of pfBlockerNG with various block lists. So, I've created rules to block all port 53 requests except the pfSense DNS resolver.

    Here's what I've done (screenshot):

  • Nope

    On the LAN interface your source would be LAN Net

  • LAYER 8 Global Moderator

    Dest of lan net from lan is pointless..

    So you want your device on lan to only go to places that are in NAmerica.. Wow that is going to limit your internet ;)

    The only reason to change your source to any on lan would be if you have downstream networks using the lan as a transit.

  • Thank you. Does this look better?

    This particular network isn't for general internet browsing, so NA is fine for starters. I may tweak the allowed destinations over time, and or install snort.