Block internet access on some machines belonging to LAN

  • Hello all,

    I have a LAN and i want to block the internet access on some machines. I would prefer to keep the same subnet and DHCP server.

    Initially i tried to mark the special machines by MAC address, but as i discovered there is no such thing in pfSense.

    Other idea was to group those special machines on vlan 20 and create a new interface, but unique subnet is a mandatory property of interface.

    Can anybody help me?

    I would appreciate any help.

  • Make a rule on the LAN that blocks traffic from this host's IP (or make an alias that contains those hosts) from going anywhere but the local network (you'll use the negate feature of the destination network option in the rule settings.)

  • LAYER 8 Global Moderator

    Just put the rule that blocks access for your IPs above the default lan rule of any any.

  • You need to setup static DHCP leases for these machines. You can find that in Services -> DHCP Server, all the way at the bottom. You need to know the MAC Addresses of these computers to put them in a static lease. Their static IP addresses need to be OUTSIDE your DHCP server range.

    After you give them static addresses, you should put them all into an Alias, that's located under the Firewall tab. By adding them all to an Alias, is makes it really easy to add this group to a single firewall rule.

    Next, make an Alias that contains private networks (the ones we all use INSIDE our firewalled networks). That alias should have these 3 networks in it:,, and You can name this alias whatever you want, but make sure to set the type to Network(s).

    So, then you need to make a single block rule on your LAN interface like this:

    Action: Block
    Interface: LAN
    Address Family: IPv4
    Protocol: Any
    Source: Single host or Alias (pick the alias you made for your computers)
    Destination: Invert Match, Single Host or Alias (pick the alias you made for private internets)

    Give it a good description name and save. Make sure this new firewall rule is above the "allow lan to any rule" in the rule list.

    If you've got a lot of rules on your LAN, you should probably restart the rules, reset the states on the "allow lan to any" rule, or even reboot the firewall. But, that might not be necessary. Give it a try and see what happens.

    So, what all of this does is this: you set your internal machines to have static IP addresses, you put them in an alias, you add all private internets to an alias, then you make a rule that says block all internal machines in this alias to all networks that are NOT private networks. This lets you still get access to internal machines/networks, like servers and such, and should work perfectly for blocking these machines from getting out to the internet. It did for me, after I set it all up and tested.


  • Thank you all, especially @akuma1x for detailed description.

Log in to reply