Block Internet access for a single host
-
This seems exceedingly simple, yet I'm not able to get it to work. The device in question had been given a static IP address, which I have verified is correct. The LAN rule I set is also simple:
Action: Block
Interface: LAN
Address Family: IPv4
Protocol: Any
Source: Single host or alias / <IP>I enabled logging and can see the rule being actively denied, yet I can still browse to web addresses freely. I considered it might be going out as IPv6, so I did two things to test:
- Applied an IPv6 LANnet to Any BLOCK rule
- Created an Alias for my device that had its currently listed IPv6 and IPv4 addresses
I then changed
Protocol: IPv4
in the rule above toProtocol: IPv4 + IPv6
. Still, the device is able to access the internet.Another user posted a similar issue here
https://forum.netgate.com/topic/99008/blocking-internet-traffic-from-single-lan-client?_=1600269576737But it seems as if their solution was to block the IPv6 traffic from their device. Considering I fully blocked all IPv6 traffic on LAN, I suspect that's not the issue here.
What could be wrong? Perhaps I was not waiting long enough after submitting the rule change. Is there a propagation delay? Can the current rule cache be flushed in some way (if this exists)? Does the
Apply Changes
action do this? -
It seems to have propagated after some time. There appears to be a non-zero delay after
Apply Changes
before the rule takes affect (notably also after the log reports it has completed if you view the monitor). -
@sherrellbc
Consider that adding a block rule does not affect already existing connections. Only new connection will be blocked.If you want to take effect immediatly you'll have to kill existing states for that client.
-
@viragomann said in Block Internet access for a single host:
If you want to take effect immediatly you'll have to kill existing states for that client.
I tried disconnecting and reconnecting on the device, though the time between events was less than one second. How can you explicitly kill a client state like this?
-
@sherrellbc
Diagnostics > States
You can filter for a specific IP and then kill these states.