1. Home
  2. pfSense® Software
  3. Firewalling
  4. Block Internet access for a single host

Block Internet access for a single host

  • S

    This seems exceedingly simple, yet I'm not able to get it to work. The device in question had been given a static IP address, which I have verified is correct. The LAN rule I set is also simple:

    Action: Block
    Interface: LAN
    Address Family: IPv4
    Protocol: Any
    Source: Single host or alias / <IP>

    I enabled logging and can see the rule being actively denied, yet I can still browse to web addresses freely. I considered it might be going out as IPv6, so I did two things to test:

    1. Applied an IPv6 LANnet to Any BLOCK rule
    2. Created an Alias for my device that had its currently listed IPv6 and IPv4 addresses

    I then changed Protocol: IPv4 in the rule above to Protocol: IPv4 + IPv6. Still, the device is able to access the internet.

    Another user posted a similar issue here
    https://forum.netgate.com/topic/99008/blocking-internet-traffic-from-single-lan-client?_=1600269576737

    But it seems as if their solution was to block the IPv6 traffic from their device. Considering I fully blocked all IPv6 traffic on LAN, I suspect that's not the issue here.

    What could be wrong? Perhaps I was not waiting long enough after submitting the rule change. Is there a propagation delay? Can the current rule cache be flushed in some way (if this exists)? Does the Apply Changes action do this?

    0 S 1 Reply
  • S

    It seems to have propagated after some time. There appears to be a non-zero delay after Apply Changes before the rule takes affect (notably also after the log reports it has completed if you view the monitor).

    0 V 1 Reply
  • V

    @sherrellbc
    Consider that adding a block rule does not affect already existing connections. Only new connection will be blocked.

    If you want to take effect immediatly you'll have to kill existing states for that client.

    1 S 1 Reply
  • S

    @viragomann said in Block Internet access for a single host:

    If you want to take effect immediatly you'll have to kill existing states for that client.

    I tried disconnecting and reconnecting on the device, though the time between events was less than one second. How can you explicitly kill a client state like this?

    0 V 1 Reply
  • V

    @sherrellbc
    Diagnostics > States
    You can filter for a specific IP and then kill these states.

    1
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy