(Solved) Want to block certain LAN clients from accessing WAN



  • Hello, I'm new to pfsense and in the process of replacing a dedicated Zyxel security appliance with a DIY pfsense appliance due to a limitation of utilizing the full extent of ISP provided bandwidth; paying for it, but not getting it. Temporarily I'm using an old DIY computer that has more CPU power, Memory and HDD space than the Zyxel.

    Today, I was playing with a pfsense v2.3.5 32bit install; 32bit hardware. And was trying to deny WAN access to several client machines on the LAN to no avail. I gave them static IP's and alias's for quick identification, but one of them notorious for contacting, (seemingly), every site in the world, even when it's turned off, kept accessing the net despite my firewall rules.

    I first tried specifying the client machine IP/Alias and WAN only, with all else "ANY"
    then tried only specifying the client machine IP/Alias and all else "ANY" and neither locked the machine down, instead allowing it to roam the WWW as it usually wants to do. The Zyxel has no problem gagging it's big mouth. I'm beginning to think pfsense is more complicated than it needs to be; just for the tinkerers???

    Any questions/suggestions/enlightenment will surely be appreciated?

    TIA!



  • @rainmistme On the lan interface, you need to deny specific ip or alias access to ANY.
    This is how it works. You always control a packet the moment it enters an interface.
    As for the answer packet, it is handled behind the scenes, no need to specify anything



  • Thanks much Netblues! Yeah that's what I thought and did, as I mentioned above. I figured it would be the same as my current Zyxel appliance. But it didn't work. The Zyxel instantly applied any changes I made, once I clicked on a button. Does the pfsense software require being stopped and restarted for it to register the changes? I didn't think it should, because it has both a "save" button and a "do it" button, though for the life of me I don't know why two buttons are required. The Zyxel has one "click me" button that does both things at the same time, saving to the config file & making it active.

    Is there anything that might be causing it to get past the firewall? I'm pretty much using the default configuration.

    TIA!



  • First you save and then you apply and thats it.
    (it is usefull for more complicated tasks that take many steps, which if not done together would lead to issues)
    It is also important to see where you have the rule.
    pf matches rules top to bottom.
    In a new pf install there is a default rule allowing everything at the top.
    If you place rules below that, the allow all will match first, making the rest irrelevant.



  • Thanks again netblues! But again I already know that much. The only rule above mine is the one anti-lockout rule which can't be moved. I moved the other two default rules below mine, one of them being the one you're talking about; Allow "LAN net" any.

    Could it be the fact that I have 4 NIC's on my system, two of which are the exact same models. There are two built into the MB. One is an nVidia the other a 3com, which are spares and not used. The other two are Netgear GA311's. One of which I'm using for the WAN and the other for the LAN. Since they use the same drivers, I was wondering if the pfsense software could keep them separate. Of course I realize that the fact that they have different MAC's should allow the pfsense firewall to sit between them. A long shot I know, but I really don't understand why it's allowing access to the Net since my rule seems to be setup properly and in the correct sequence.

    Remember this is a temporary setup. Once I get the Xeon 64bit 16 core CPU/supermicro server MB combo with Intel NIC's I'm hoping either pfsense v2.4.3/v2.4.4 will do a much better job. I plan on using Suricata which is why I want 16 threads, and some serious CPU power. I want a sustained 200Mbps with room to grow. Also running OpenVPN, though I'm thinking I'll keep it on the client machines for more flexibility.

    Tomorrow I'll play with it some more, switching NIC's and such. Actually I'm still in the testing phase. Though even with this temp setup I'm getting much better throughput. The single thread CPU has 5.5 times the speed of the Zyxel appliance even though the pfsense software consumes more processor power. Of course I won't run this temp pfsense appliance until I can isolate a few of my client machines from accessing the WAN.

    Again, thanks for your time, at my age I can really appreciate someone giving theirs! ;-)



  • No... pf wont mix interfaces like that in any case. The moment you are past interface assignement (done at initial setup) this is finished.
    There are counters beside the rules, counting states and bytes matced for each rule. So if a rule is not being utilised, then no states, no bytes.
    Having said that, after applying new rules, which seem not to work, go to diagnostics, states and do a full states reset.

    There is nothing else in denyig an ip access to somewhere. (unless of course you are filtering the wrong ip, the client has more than one, and this kind of stuff).

    As for openvpn, keeping it on the clients isn't a very good idea too, since they will be unmanaged.



  • Thanks for your knowledge on pfsense, though I would remind you of JTB, the Gettier problem and what it teaches us about supposition/certainty.

    Thanks, but yet again, I already knew about the states, thanks to the online documentation. Of course I cleared them and watched them reappear before I decided to ask for help here on the forum. Yep, I'd clear them, do a page refresh, see that they were gone, then do another page refresh and watch them reappear. I have no clue what's going on. But of course it doesn't lend to a very good first impression. Nope, correct IP. Nope, only one IP.
    Yep, I verified the SHA256 checksum before installing.

    As far as the openvpn thing goes, we'll have to agree to disagree. I prefer to control my life rather than having it controlled. I hate background anything, when it comes to computing. I liken it to complacency.

    Thanks for your time. I'll figure it out, '...with a little help from my friends...'

    I'll let you know if/when I figure it out, whether it's my folly or not. ;-)



  • If you want help with firewall rules, show your rules with a screenshot. Everything else is just wasting time.



  • @netblues Looks like I should have taken my own advice about JTB, specifically the Gettier Problem. I can't be certain, but I believe I may have mistaken an IP for the one I was looking for. So netblues you may have hit the nail on the head. I can't be certain, but it's the only thing that seems probable.

    Again, thanks for your time and energy!



  • @grimson Thanks for your time, but I usually don't trust people enough to send screen shots. I usually don't want anyone to know 'anything' about my firewall settings.

    But it's solved so unfortunately I'm afraid you've wasted your time. Sorry for that.

    I tend to not respond to anyone I really don't want to help, so as to alleviate such "wasted time," if in fact I decide to deem it such. Though I usually don't see helping someone as wasted time. We each decide for ourselves what is and is not wasted time, as such we each should act accordingly. I would hope that everyone understands this fact, because it'll usually yield more happiness during ones lifetime.

    Have a good one my friend! And thanks again for your time!