Best Way How To: Block Lan machine from accessing internet?

  • I have a machine on my LAN that should NEVER be allowed to access the internet.  What is the best way to accomplish this?

    The machine should NEVER be allowed to send any traffic out the WAN, and NEVER be allowed to receive traffic from the WAN.

    Would appreciate a quick rundown of what I need to do to accomplish this.  Thanks!

  • Rebel Alliance Developer Netgate

    It should be an easy matter of adding a block rule to the top of your LAN tab.

    Block <any proto="">from <that lan="" ip="">to *

    If it can't go out, it won't be able to get anything back in.</that></any>

  • As Jimp said: Block the IP address of this machine on the LAN Tab and add a block to this machine's IP on the WAN Tab.

    For even more security, put this machine on a separate LAN/VLAN and disallow traffic from this machine to other machines on your network that have access to the internet to prevent circumvention of your blocks. It is needless to say that your machine definitely should have a static IP address that cannot be changed by any users of this machine.

    In case you really need this machine to access other computers on your network, allow only the Ports that this machine needs to access. Be especially careful with Telnet or SSH protocol, as this can be used to circumvent your block by using another machine on your network. Same holds for p2p software like Skype or bittorrent. Don't install such software on this machine.

    However, the best security you get by unplugging the machine from your network :-)

  • How about just removing its default gateway in its own TCP/IP settings?

  • What about in A DHCP environment, like a hotel, airport, ect.

    It would be cool to have some kinda of MAC to IP Address tracking, so a mac address could be added to the firewall, and no matter what IP address it got, would still be blocked.

    You can do this manually, but is not very efficient.


  • Rebel Alliance Developer Netgate

    The problem with tracking my MAC is that is can also be spoofed, and if the person really wants to, they could stick a cheap broadband router in front of their PC and really change the MAC.

    I thought someone said MAC filtering might be coming in 2.0, but don't quote me on that one.

  • What about in A DHCP environment, like a hotel, airport, ect.

    As you probably would give them some Internet access.
    low level restriction = OpenDNS
    next level = Squidguard
    next level = add a untangle box
    next level = just give them a switch :D cnr

  • Rebel Alliance Developer Netgate

    Captive portal can also help in a Hotel/Airport/Hotspot environment as well

Log in to reply