Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Set LAN rule to block outbound to one IP, can still ping it

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 813 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmiker
      last edited by jmiker

      WTHeck am I overlooking?? Simple rule, LAN, block, any source, single IP destination. But I can still ping the IP.

      screenshot of rule (ignore the Description, I change the actual Destination in testing)

      1 Reply Last reply Reply Quote 1
      • A
        akuma1x
        last edited by akuma1x

        Your LAN rule is set to block IPv4 TCP. Ping is not a TCP protocol.

        https://lists.debian.org/debian-user/1999/11/msg01434.html

        If you set the protocol to "any" that should take care of the problem. Also, since this is on your LAN network/interface, you should set the source to be LAN net, not * any.

        Jeff

        1 Reply Last reply Reply Quote 0
        • J
          jmiker
          last edited by

          Thanks Jeff. Good catch on the protocol, and I likely wouldn't have thought about restricting it to the LAN net. However, I just changed both of those and I can still ping the IP.

          1 Reply Last reply Reply Quote 0
          • A
            akuma1x
            last edited by akuma1x

            Reboot your pfsense box, then reboot your computer/device you're trying to hit the rule from.

            If you're still able to ping that IP address, something else is going on...

            Jeff

            1 Reply Last reply Reply Quote 0
            • J
              jmiker
              last edited by

              I can do that, but it's going to be this evening, in about 6 hours. But I'll give it a shot, it's been a while since it was rebooted. Thanks.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Or check the state table for states on LAN with that destination IP and kill them. They have probably timed out by now anyway though.

                Steve

                1 Reply Last reply Reply Quote 0
                • J
                  jmiker
                  last edited by

                  Well this has been interesting, and frustrating. I rebooted this morning and sure enough I couldn't ping the IP after. The problem was, I couldn't ping anything. So I disabled the rule, rebooted and still no access.

                  From Diagnostics I could ping outside on the WAN interface but not the LAN. And now my users are starting to arrive. So I loaded a two month old config but realized it had RDP ports and a lot of other settings that I'm sure contributed to a ransomware attack in December. So I reloaded the last config that I just saved. And it's working.

                  I know I'm just a "casual user" of pfSense, it's not something I work with all day, but it sure is frustrating to not know how to 'deep dive' into the system to see where this problem was. I could connect to the GUI, so the LAN interface is working, and from pfSense I could ping outside, so the WAN port is working. But I haven't changed ANY other rule except the one in my OP.

                  And just to rub salt in it. I had deleted the rule, even though I'd disabled it, and rebooted, just to be sure. I've now re-added it and the IP is not being blocked again. But you know what, whatever, I'm not rebooting it again until I get the backup box updated.

                  Thanks for your help Jeff and Steve!

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    If you can ping from WAN but not LAN that's usually a sign that NAT is not working. Perhaps you have outbound NAT set to manual and a missing rule.
                    Perhaps there is somehow a bad rule and ruleset cannot load. Check: Status > Filter Reload.
                    Check you have a default route and it's the correct one in Diag > Routes.
                    Set a default v4 gateay in Sys > Routing > Gateways if not.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • J
                      jmiker
                      last edited by

                      I'm not sure what's going on with this thing, creating or changing rules doesn't take effect unless it's rebooted. That's new behavior, it's always been immediate before this. I'm going to rebuild it tomorrow. Thanks everyone for the help.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.