Block Wireguard from connecting on LAN Address
-
How can I stop local LAN clients from connecting to Wireguard on the LAN address? I only want remote clients to be able to connect to Wireguard. LAN firewall rules seem to have no effect.
Thanks!
Dwayne -
@dapersico what are your lan rules? If your listening on port X then block access to that port on the lan interface "this firewall" would prevent them from accessing it.
Top down, first rule to trigger wins, no other rules evaluated.
Keep in mind once you put in a block rule, you need to make sure there are no existing states for that traffic your trying to block already there, or would still be allowed. So you either need to kill any existing states for that connection, or wait for them to time out.
-
@johnpoz said in Block Wireguard from connecting on LAN Address:
Keep in mind once you put in a block rule, you need to make sure there are no existing states for that traffic your trying to block already there, or would still be allowed. So you either need to kill any existing states for that connection, or wait for them to time out.
Well, it appears my rule was correct. It is the existing states that is my problem. I'll try this now.
Thanks!
-
@johnpoz still didn't work for me. Here is my rule:
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0 /4 KiB IPv4 UDP * * LAN address 51820 * noneI also tried "LAN net" as the source but no difference.
-
@dapersico post a screenshot of your rules please.
And do you have any rules in your floating tab?
That looks like it was evaluated with that 0/4.. But to be honest, why would the client even try to be connecting to your lan address, that would never work from the internet. So its prob going to your wan address.
Which is why I suggested use "this firewall" alias - this would be all your pfsense IPs..
