Set LAN rule to block outbound to one IP, can still ping it



  • WTHeck am I overlooking?? Simple rule, LAN, block, any source, single IP destination. But I can still ping the IP.

    screenshot of rule (ignore the Description, I change the actual Destination in testing)



  • Your LAN rule is set to block IPv4 TCP. Ping is not a TCP protocol.

    https://lists.debian.org/debian-user/1999/11/msg01434.html

    If you set the protocol to "any" that should take care of the problem. Also, since this is on your LAN network/interface, you should set the source to be LAN net, not * any.

    Jeff



  • Thanks Jeff. Good catch on the protocol, and I likely wouldn't have thought about restricting it to the LAN net. However, I just changed both of those and I can still ping the IP.



  • Reboot your pfsense box, then reboot your computer/device you're trying to hit the rule from.

    If you're still able to ping that IP address, something else is going on...

    Jeff



  • I can do that, but it's going to be this evening, in about 6 hours. But I'll give it a shot, it's been a while since it was rebooted. Thanks.


  • Netgate Administrator

    Or check the state table for states on LAN with that destination IP and kill them. They have probably timed out by now anyway though.

    Steve



  • Well this has been interesting, and frustrating. I rebooted this morning and sure enough I couldn't ping the IP after. The problem was, I couldn't ping anything. So I disabled the rule, rebooted and still no access.

    From Diagnostics I could ping outside on the WAN interface but not the LAN. And now my users are starting to arrive. So I loaded a two month old config but realized it had RDP ports and a lot of other settings that I'm sure contributed to a ransomware attack in December. So I reloaded the last config that I just saved. And it's working.

    I know I'm just a "casual user" of pfSense, it's not something I work with all day, but it sure is frustrating to not know how to 'deep dive' into the system to see where this problem was. I could connect to the GUI, so the LAN interface is working, and from pfSense I could ping outside, so the WAN port is working. But I haven't changed ANY other rule except the one in my OP.

    And just to rub salt in it. I had deleted the rule, even though I'd disabled it, and rebooted, just to be sure. I've now re-added it and the IP is not being blocked again. But you know what, whatever, I'm not rebooting it again until I get the backup box updated.

    Thanks for your help Jeff and Steve!


  • Netgate Administrator

    If you can ping from WAN but not LAN that's usually a sign that NAT is not working. Perhaps you have outbound NAT set to manual and a missing rule.
    Perhaps there is somehow a bad rule and ruleset cannot load. Check: Status > Filter Reload.
    Check you have a default route and it's the correct one in Diag > Routes.
    Set a default v4 gateay in Sys > Routing > Gateways if not.

    Steve



  • I'm not sure what's going on with this thing, creating or changing rules doesn't take effect unless it's rebooted. That's new behavior, it's always been immediate before this. I'm going to rebuild it tomorrow. Thanks everyone for the help.


Log in to reply