Block Internet access for a single host



  • This seems exceedingly simple, yet I'm not able to get it to work. The device in question had been given a static IP address, which I have verified is correct. The LAN rule I set is also simple:

    Action: Block
    Interface: LAN
    Address Family: IPv4
    Protocol: Any
    Source: Single host or alias / <IP>

    I enabled logging and can see the rule being actively denied, yet I can still browse to web addresses freely. I considered it might be going out as IPv6, so I did two things to test:

    1. Applied an IPv6 LANnet to Any BLOCK rule
    2. Created an Alias for my device that had its currently listed IPv6 and IPv4 addresses

    I then changed Protocol: IPv4 in the rule above to Protocol: IPv4 + IPv6. Still, the device is able to access the internet.

    Another user posted a similar issue here
    https://forum.netgate.com/topic/99008/blocking-internet-traffic-from-single-lan-client?_=1600269576737

    But it seems as if their solution was to block the IPv6 traffic from their device. Considering I fully blocked all IPv6 traffic on LAN, I suspect that's not the issue here.

    What could be wrong? Perhaps I was not waiting long enough after submitting the rule change. Is there a propagation delay? Can the current rule cache be flushed in some way (if this exists)? Does the Apply Changes action do this?



  • It seems to have propagated after some time. There appears to be a non-zero delay after Apply Changes before the rule takes affect (notably also after the log reports it has completed if you view the monitor).



  • @sherrellbc
    Consider that adding a block rule does not affect already existing connections. Only new connection will be blocked.

    If you want to take effect immediatly you'll have to kill existing states for that client.



  • @viragomann said in Block Internet access for a single host:

    If you want to take effect immediatly you'll have to kill existing states for that client.

    I tried disconnecting and reconnecting on the device, though the time between events was less than one second. How can you explicitly kill a client state like this?



  • @sherrellbc
    Diagnostics > States
    You can filter for a specific IP and then kill these states.


Log in to reply