stopping an IP address or MAC address from internet access

virgomistrust · Nov 25, 2020, 5:22 AM

I'm sure this is a newbie question but I'm trying to stop - on the fly - a ip or MAC address from continuing to have internet access. I've watched some videos and I can block after rebooting the device but not while it is active. Is it really that hard to do this ?

Sebastian_IT · Nov 25, 2020, 5:27 AM

Try going to Diagnostics --> States --> Look for the connections that are being made by that IP --> Kill those connections. Let me know if this helps you.

virgomistrust · Nov 25, 2020, 5:47 AM

seems to have made no difference - I'm still streaming the show to the device

virgomistrust · Nov 25, 2020, 5:51 AM

I've killed them and then re-filter and they return - guess it might be that hard.

bingo600 · Nov 25, 2020, 6:06 AM

@virgomistrust

1:
You will have to make a "Block/Deny" rule for the specific source ip address.
On the interface where the device is connected.

Deny ipv4 source <ip-address> dest <any>

Typically you would allow something before the above deny, as it will
deny ANYTHING comming from that IP.

2:
If the ip address has been "watching the show" , because the Deny rule was not active when you "streamed" the last time. pfSense will remember the "state allow". That is why you (after making the deny rule) should do as Sebastian_IT said, and kill the active states (maybe just for that ip).

Ps: If you are using DHCP , you might want to give that device's MAC-address a static (fixed) ip address in the DHCP server. To make sure the device will always get the same ip address.

Are you trying to block/deny permanently , or make a timed permission ?
Aka. kids .. time to sleep ?

/Bingo

virgomistrust · Nov 25, 2020, 6:21 AM

I have already added the ip address as static
so now I have a firewall rule to
BLOCK
LAN
single host ip address
destination any

save then apply changes

I went to the STATS and filtered the ip address and killed all states on the LAN
when I went to the WAN there were also filtered entries though I had to kill those one at a time
the stream continues and the stats table refills on the LAN side
I've tried to remove them again with zero success.
I've went

virgomistrust · Nov 25, 2020, 6:28 AM

If I ever get this to work I would rather learn to filter the MAC address as anybody could just change the network settings and bypass my efforts. Kids are crafty that way. I guess my expectations of a firewall or perhaps this one are misguided. I'm imagining that if it can't be done in this firewall then it may not be possible. Clearly I'm new to this part of networking that will remain a learning curve.

virgomistrust · Nov 25, 2020, 6:35 AM

It is noteworthy that if I reboot the device then the block rule seems to be effective as the TV claims to not have a internet connection though it does have a ip address. If I disable the rule then the internet connect is established.

Gertjan · Nov 25, 2020, 7:57 AM

@virgomistrust said in stopping an IP address or MAC address from internet access:

that if I reboot the device then the block rule seems to be effective

Rebooting is a way to be sure hat states are killed.
All of them. No exception.

Btw : kids, and other humans are able to think.
They could manage to set up their devices so it's not you, using a DHCP server, that is assigning IPs to them, but themselves, by assigning a so called static IP.
Next level, although probably hard when it concerns a TV set : they change the device's MAC address.

The old fashioned 'cut the wire' trick will still work.
( and then they go to another 'ISP', you loosing any control )

stephenw10 · Nov 25, 2020, 7:11 PM

Yeah if it comes up after a reboot and the connections are blocked then you are not killing the states correctly.
The kill states button can only kill things that pfctl can so that's IP addresses or subnets. Not partial IPs or ports or combinations even though the page can filter like that.

To check it just reset set the state table completely instead of rebooting.

You can only filter by MAC in the captive portal, which uses ipfw instead of pf. That's probably not going to be suitable here.

You can set rule schedules that will remove any states opened at the end of the schedule. Often useful for limiting Netflix!

Steve

Cool_Corona · Nov 25, 2020, 5:52 PM

@stephenw10 said in stopping an IP address or MAC address from internet access:

Yeah if it comes up after a reboot and the connections are blocked then you are killing the states correctly.
The kill states button can only kill things that pfctl can so that's IP addresses or subnets. Not partial IPs or ports or combinations even though the page can filter like that.

To check it just reset set the state table completely instead of rebooting.

You can only filter by MAC in the captive portal, which uses ipfw instead of pf. That's probably not going to be suitable here.

You can set rule schedules that will remove any states opened at the end of the schedule. Often useful for limiting Netflix!

Steve

But a FW shouldnt be rebooted to make blocks work?? Imagine a very busy production environment.

I need to block an IP.... all of the company goes down until it reboots.

Not optimal to say the least....

virgomistrust · Nov 25, 2020, 6:24 PM

@Cool_Corona
it seem that if I reset the stats all connections will suffer not just the target - is that correct. I'm coming to the conclusion that this may NOT be possible. It seems such a simple thing to do :(

stephenw10 · Nov 25, 2020, 7:13 PM

Yes it will clear all states but everything else not blocked by the rule will just re-establish.
It's only a test to prove that clearing the correct states allows the rule to then block subsequent connection attempts.

Steve

virgomistrust · Nov 25, 2020, 7:51 PM

Steve
this had NOT worked as intended. The goal is to enable the rule on the LAN side as it applied to that ip address and kill the live access to a stream on the TV. This has NOT worked. If I enable the rule and restart the device it will NOT get an internet connection, again the goal is to kill the current stream as though I had air gapped the port on the switch. It would be nice if I could just to this with the MAC address instead. It this such a hard task to accomplish?

stephenw10 · Nov 25, 2020, 8:03 PM

Yes, I understand.

The goal of resetting the state table after enabling the rule is to understand whether the rule is not matching the traffic or you are not killing the required states when you kill them individually.

It's probably the latter since it's very easy to use a filter expression against the state table that cannot be used the kill states.

Steve