Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block internet access for specific IP addresses

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 937 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pulsartiger
      last edited by pulsartiger

      I want to block all internet access for specific IP addresses. I created an Alias and a LAN Firewall rule below.

      /Create an Alias called 'NoInternet'
      Fireall->Aliases->IP
      Added IP address that I want to block from accessing the internet.

      /Create a rule for the Alias
      Firewall->Rules->LAN
      Action = Block
      Interface = LAN
      Address Family = IPv4
      Protocol = Any
      Source = Single Host or Alias -> NoInternet

      Is this correct? Is there anything else that I need to do to ensure those devices cannot send or receive anything from the internet?

      KOMK 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM @pulsartiger
        last edited by KOM

        @pulsartiger Just make sure you place that rule above the Allow All rule. Rules are processed top-down, first-match (except floating rules which are last-match unless you have the Quick option checked.) Also note that a new rule will not affect existing states so make sure you reset the states of those specific IPs via Diagnostics - States.

        P 1 Reply Last reply Reply Quote 1
        • P
          pulsartiger @KOM
          last edited by

          @kom said in Block internet access for specific IP addresses:

          @pulsartiger Just make sure you place that rule above the Allow All rule. Rules are processed top-down, first-match (except floating rules which are last-match unless you have the Quick option checked.) Also note that a new rule will not affect existing states so make sure you reset the states of those specific IPs via Diagnostics - States.

          Thanks. It appears that pfsense automatically did that (added above 'Allow All' rule). Regarding the State, I do not see any states for the IP addresses that I listed in my alias.

          M KOMK 2 Replies Last reply Reply Quote 0
          • M
            mcury @pulsartiger
            last edited by mcury

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM @pulsartiger
              last edited by

              @pulsartiger Test it and see if it performs as you would expect.

              johnpozJ P 2 Replies Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @KOM
                last edited by johnpoz

                @mcury that is over the top unnecessarily complex..

                Simple rules above the block allowing access to what you want those clients to access would be far simpler and easier to read in the rules.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                M 1 Reply Last reply Reply Quote 1
                • M
                  mcury @johnpoz
                  last edited by

                  @johnpoz kkkk, reading what I wrote again, I agree with you..

                  1 Reply Last reply Reply Quote 0
                  • P
                    pulsartiger @KOM
                    last edited by

                    @kom said in Block internet access for specific IP addresses:

                    @pulsartiger Test it and see if it performs as you would expect.

                    Appears to work. For instance, I have a NAS that I do not want to access the internet. I SSH into it and I was unable to ping any sites. I just wanted to verify that the rule I created does indeed block all inbound and outbound traffic.

                    Another question related, what would be the easiest way to view any outbound request coming from that IP address?

                    KOMK 1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM @pulsartiger
                      last edited by KOM

                      @pulsartiger Set your block rule to log (it's in the Extra Options section of your block rule) and then all blocks will be logged. The views are kind of limited so if you need more granularity or history then you might need a syslog server or something else more complicated.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.