Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Block Internet access for a single host

    Firewalling
    2
    5
    95
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sherrellbc last edited by sherrellbc

      This seems exceedingly simple, yet I'm not able to get it to work. The device in question had been given a static IP address, which I have verified is correct. The LAN rule I set is also simple:

      Action: Block
      Interface: LAN
      Address Family: IPv4
      Protocol: Any
      Source: Single host or alias / <IP>

      I enabled logging and can see the rule being actively denied, yet I can still browse to web addresses freely. I considered it might be going out as IPv6, so I did two things to test:

      1. Applied an IPv6 LANnet to Any BLOCK rule
      2. Created an Alias for my device that had its currently listed IPv6 and IPv4 addresses

      I then changed Protocol: IPv4 in the rule above to Protocol: IPv4 + IPv6. Still, the device is able to access the internet.

      Another user posted a similar issue here
      https://forum.netgate.com/topic/99008/blocking-internet-traffic-from-single-lan-client?_=1600269576737

      But it seems as if their solution was to block the IPv6 traffic from their device. Considering I fully blocked all IPv6 traffic on LAN, I suspect that's not the issue here.

      What could be wrong? Perhaps I was not waiting long enough after submitting the rule change. Is there a propagation delay? Can the current rule cache be flushed in some way (if this exists)? Does the Apply Changes action do this?

      S 1 Reply Last reply Reply Quote 0
      • S
        sherrellbc @sherrellbc last edited by sherrellbc

        It seems to have propagated after some time. There appears to be a non-zero delay after Apply Changes before the rule takes affect (notably also after the log reports it has completed if you view the monitor).

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @sherrellbc last edited by

          @sherrellbc
          Consider that adding a block rule does not affect already existing connections. Only new connection will be blocked.

          If you want to take effect immediatly you'll have to kill existing states for that client.

          S 1 Reply Last reply Reply Quote 1
          • S
            sherrellbc @viragomann last edited by

            @viragomann said in Block Internet access for a single host:

            If you want to take effect immediatly you'll have to kill existing states for that client.

            I tried disconnecting and reconnecting on the device, though the time between events was less than one second. How can you explicitly kill a client state like this?

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @sherrellbc last edited by

              @sherrellbc
              Diagnostics > States
              You can filter for a specific IP and then kill these states.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post