How to block Internet access for some PCs while they should have access to some wildcarded domains?



  • Hi,
    I have a customer who has local network. There are approx. 25 PCs on this network with static mapping in DHCP. Some of these PCs should have Internet access and others don't. But all PCs should have access to *.webrootcloudav.com since they run antivirus which should have access to Antivirus Web Console to update and report.

    I have solved the first part this way:

    • created a BLOCK alias in Firewall -> Alias -> IP and put all PC IPs with denied access to Internet on it.
    • created a block rule in Firewall -> Rules -> LAN and used BLOCK alias in Source field.
    • placed this rule at the top of a list.

    Everything works fine until here. Some PCs have full Internet access while others (those included in BLOCK alias) have no access at all.

    Now, how to allow PCs on a BLOCK alias list to have access to *.webrootcloudav.com?
    I found on the Internet that I should use pfBlockerNG for that, but was not able to make it working as I needed. Is this definitely the only and/or easiest way to allow access to wildcarded domains in my scenario?

    Any thoughts and/or experiences on the subject would be greatly appretiated.
    Thanks Robert


  • Netgate Administrator

    If you're blocking by IP like that you will need to pass by IP also and that's difficult since you will need some way to resolve the IPs to something you can work with.
    You might be better off blocking access with DNS to those clients. That would not prevent connecting using hard coded IPs though.

    Steve


Log in to reply