Block internet access for specific IP addresses

pulsartiger

I want to block all internet access for specific IP addresses. I created an Alias and a LAN Firewall rule below.

/Create an Alias called 'NoInternet'
Fireall->Aliases->IP
Added IP address that I want to block from accessing the internet.

/Create a rule for the Alias
Firewall->Rules->LAN
Action = Block
Interface = LAN
Address Family = IPv4
Protocol = Any
Source = Single Host or Alias -> NoInternet

Is this correct? Is there anything else that I need to do to ensure those devices cannot send or receive anything from the internet?

KOM

@pulsartiger Just make sure you place that rule above the Allow All rule. Rules are processed top-down, first-match (except floating rules which are last-match unless you have the Quick option checked.) Also note that a new rule will not affect existing states so make sure you reset the states of those specific IPs via Diagnostics - States.

pulsartiger

@kom said in Block internet access for specific IP addresses:

@pulsartiger Just make sure you place that rule above the Allow All rule. Rules are processed top-down, first-match (except floating rules which are last-match unless you have the Quick option checked.) Also note that a new rule will not affect existing states so make sure you reset the states of those specific IPs via Diagnostics - States.

Thanks. It appears that pfsense automatically did that (added above 'Allow All' rule). Regarding the State, I do not see any states for the IP addresses that I listed in my alias.

mcury

This post is deleted!

KOM

@pulsartiger Test it and see if it performs as you would expect.

johnpoz

@mcury that is over the top unnecessarily complex..

Simple rules above the block allowing access to what you want those clients to access would be far simpler and easier to read in the rules.

mcury

@johnpoz kkkk, reading what I wrote again, I agree with you..

pulsartiger

@kom said in Block internet access for specific IP addresses:

@pulsartiger Test it and see if it performs as you would expect.

Appears to work. For instance, I have a NAS that I do not want to access the internet. I SSH into it and I was unable to ping any sites. I just wanted to verify that the rule I created does indeed block all inbound and outbound traffic.

Another question related, what would be the easiest way to view any outbound request coming from that IP address?

KOM

@pulsartiger Set your block rule to log (it's in the Extra Options section of your block rule) and then all blocks will be logged. The views are kind of limited so if you need more granularity or history then you might need a syslog server or something else more complicated.