Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow or block internet access

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 911 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hardware_bxl
      last edited by

      With many other firewall systems you can simply create a rule like:
      ALLOW/BLOCK any LAN -> any WAN

      but with pfSense the WAN interface cannot be used like that.
      In many examples that I find on the net, I see the following guidelines to get around this:

      1. Create Alias RFC1918 and add the corresponding networks (NET_RFC1918).
      2. Create a rule like:
        ALLOW/BLOCK any LAN -> any !NET_RFC1918

      Although this is a nice workaround and it does the job of allowing or blocking WAN/internet access, i feel it is not the correct way.

      Say you want to block internet for device_A on IP_device_A:
      BLOCK IPv4* IP_device_A * !NET_RFC1918 * * none
      description: "Blocks internet for device A"

      this is not 100% correct, as it blocks EVERYTHING except for the RFC1918 networks, so that means if your device would multicast for discovery on the network, this would be blocked as well and you lose functionality if you not allow this separately.

      So would you also need to include:
      224.0.0.0 - 239.255.255.255 (is that RFC1112 or RFC5771 ??)

      but is that all you need to include?
      and also, if you include this in your alias to 'describe internet/wan access', then you also need to make a rule to allow/block this for the local net.

      So what would be the complete and correct way to 'describe internet/wan access' if you want to exclude all local addresses?

      And second, is there a better way to do this?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @hardware_bxl
        last edited by

        @hardware_bxl said in Allow or block internet access:

        if your device would multicast for discovery on the network

        If it's multicast on the LAN network the device is on, the firewall rules are not involved since traffic within a network doesn't go through the router/firewall.

        Another method would be to not have a gateway set on the device, so it can't get out of the network.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        H 1 Reply Last reply Reply Quote 0
        • H
          hardware_bxl @SteveITS
          last edited by

          @steveits said in Allow or block internet access:

          @hardware_bxl said in Allow or block internet access:

          if your device would multicast for discovery on the network

          If it's multicast on the LAN network the device is on, the firewall rules are not involved since traffic within a network doesn't go through the router/firewall.

          Yes, I was told this before. Is it different when the device is on WiFi? Because in my test setup with a wireless printer, the multicast (mdns) are clearly blocked by the firewall and need rules to allow. So how would it work on such a situation?

          As for the no gateway solution, I have a default option and the wan gateway, should I create a dummy gateway for this to work? It how would I set no gateway for an interface?

          Thanks for explaining.

          S AndyRHA 2 Replies Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @hardware_bxl
            last edited by

            @hardware_bxl You'd not set a gateway on the device so each PC. It's not ideal security-wise because someone could set one someday and get out. But, if they can do that they could also set their own static IP.

            Any local traffic is local. Anything destined elsewhere is sent to the device's gateway (the pfSense) to route. It's probably just noise because pfSense is seeing the multicast, along with the other PCs. Usually I turn off logging for the default block rule to avoid a lot of log noise.

            If the wireless network is the same as LAN then they are the same network.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            H 2 Replies Last reply Reply Quote 0
            • H
              hardware_bxl @SteveITS
              last edited by

              @steveits

              Well it's not just noise in my test setup it seems.
              I have a wireless printer (that is my test device) and i am trying to block access to the WAN (internet) for this device.

              printer.png

              With no other rules regarding the printer, it can indeed not access the WAN/internet.
              BUT: it is also not discoverable on the net.
              When examining the packets blocked by the rule, I also see mdns traffic blocked.

              If and only if I allow UDP * 224.0.0.251 5353 on top of this rule, then the printer is discoverable again.
              So that is saying to me, it is not just noise, at least not in my test setup, which is not uncommon situation imo.

              1 Reply Last reply Reply Quote 0
              • H
                hardware_bxl @SteveITS
                last edited by

                @steveits

                I will test this with a different setup and a wired device. It seems weird to me also that the multicast should be routed.
                Will update later.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @hardware_bxl
                  last edited by

                  @hardware_bxl said in Allow or block internet access:

                  It seems weird to me also that the multicast should be routed.

                  Its not.. Allowing that on the firewall would only come into play if your trying to use discovery across vlans with say avahi.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • AndyRHA
                    AndyRH @hardware_bxl
                    last edited by

                    @hardware_bxl said in Allow or block internet access:

                    As for the no gateway solution, I have a default option and the wan gateway, should I create a dummy gateway for this to work? It how would I set no gateway for an interface?

                    You can assign an address to the printer in DHCP and set option 3 to 'null' and the device will not receive a gateway.

                    o||||o
                    7100-1u

                    H 1 Reply Last reply Reply Quote 0
                    • H
                      hardware_bxl @AndyRH
                      last edited by

                      @andyrh said in Allow or block internet access:

                      @hardware_bxl said in Allow or block internet access:

                      As for the no gateway solution, I have a default option and the wan gateway, should I create a dummy gateway for this to work? It how would I set no gateway for an interface?

                      You can assign an address to the printer in DHCP and set option 3 to 'null' and the device will not receive a gateway.

                      Yes ok I thought of that, SteveITS already explained that security-wise it's not ideal, but that is an option yes.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.