SG-1100 not blocking traffic when creating firewall rule on WAN or LAN



  • I recently set up static assignments on devices throughout our house with the intention of being able to block internet access on demand for my children. I am currently testing on our Living room tv but regardless of the interface I choose to create the rule on WAN/LAN and enable it the device is still able to stream Netflix/Youtube and other applications without issue. This particular device is a living room tv which is connected directly via Cat6 cable to my wireless router which is in bridged mode set to simply push wireless, and then to the SG-1100. I have attached screenshots below:

    12b17d18-6804-42d6-9d16-27461b756af7-image.png

    5546d859-38c4-48ec-ba77-d4f4f2062ab1-image.png


  • LAYER 8 Netgate

    Your WAN rule is useless. Firewall rules generally operate on traffic originating from devices on the interface the rule is on.

    https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-troubleshooting.html

    A block rule will not kill any established states. You might want to flush all states after making rule changes when testing. Diagnostics > States, Reset States



  • I created the WAN rule as an afterthought, as the LAN rule seems to make no difference. I will test but you're saying any time I create a new rule to block LAN traffic I am going to have to reset states ?



  • Also, the device did not have an established state, or shouldn't have as I shut it off last night after the rule seemed to make no difference. I then powered the device on this morning (pulled the power cord from the tv and plugged it back in) and the rule appears to still make no difference. I have not run Diagnostics > States, Reset States though.


  • Netgate Administrator

    As long as the TV is actually getting that IP the LAN rule will block any new states being created from it.

    The rule would need to be above any pass rules on LAN though. That would include any floating pass rules that might be operating on LAN.

    Steve



  • Derelict - it was in fact the states table, good to know thank you for the quick response on this I greatly appreciate it !
    Thank you so much man.


  • LAYER 8 Netgate

    Something like a TV and streaming media should be pretty constantly making new connections. Enabling a block rule might not appear to take effect instantly but it should become more painful to use as time passes. I would not expect it would be very long before it was pretty useless even without killing states manually. You might also change that to a Reject rule so the device gets feedback that the connections it is attempting are being actively rejected.



  • @Derelict
    Sorry to bug you again on this.... I am no longer able to block network traffic with the LAN firewall rules I have created regardless on if the rule is set to "reject" or "block". I can verify that the devices are getting the static IP addresses I have assigned them. I have been gone for work and am returning to get some more time with this device and am finding that when I toggle/enable one of these rules internet traffic continues for the device even after I reset the states table

    . The only additional change I have made to the firewall after we last spoke on this post was Disabling IPV6: System>Advanced>Networking> Uncheck Allow IPV6 Traffic and I disabled DHCPv6 Relay: Services>DHCPv6 Relay.

    Do I need to remove these rules and recreate them as "floating rules" for this to work ? My end game is to be able to disable internet traffic on these devices on the fly by toggling the rule to enabled. I am including screenshots below I have edited the screenshots to remove some of my family members names



  • Setting these as Floating rules appears to have resolved my issue.


  • LAYER 8 Global Moderator

    As I stated your other thread - without you actually posting your rules.. What you said you did and what was happening doesn't mean anything.. For all we know you put the rules below your any.. So no shit they wouldn't ever trigger. But putting them in floating would, etc.

    If you need help with rules you need to post a screen shot of the actual rules on the interface. Users always say they did X, when it comes down to it they did Y.



  • This post is deleted!

Log in to reply