Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block internet for an ip in a certain interface

    Scheduled Pinned Locked Moved
    Firewalling
    4
    4
    91
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vettalex
      last edited by

      Hi, I hope you can help me. I have a pfsense firewall with 3 Interfaces configured:

      WAN 192.168.12.1
      LAN 192.168.3.1
      OPT 192.168.1.254

      On the OPT network, no DHCP Server is configured, consequently all devices have static IPs.

      Everything works correctly, but what I can't do, even if it's trivial, is to block an IP of the OPT network for browsing the internet. It seems trivial, I'm in trouble. What rules and above all where should they be set? thank you all

      johnpozJ keyserK GertjanG 3 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @vettalex
        last edited by

        @vettalex if you have a device on your 192.168.1 network and you don't want it to get to the internet you would block its IP on your opt interface..

        Keep in mind rules are top down, first rule to trigger wins - so the block rule would need to be before your allow rule to the internet. Keep in mind also if you test say accessing www.google.com from some host on your opt network, and then try and block it - the state wold still be there allowing it. So you either need to kill any active states for that client or wait for them to timeout for the block to take effect.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 0
        • keyserK
          keyser Rebel Alliance @vettalex
          last edited by

          @vettalex Simple, it requires two or perhaps 3 rules on the OPT interface somewhere above your current “allow” Internet rule.

          1: This rules allows access to your LAN subnet.
          Type: Allow
          Protocol: Any or IPv4 or IPv4/IPv6 (whatever you are using)
          Source: xxx.xxx.xxx.xxx (the IP you want to block)
          Destination: Host or Alias: “LAN Subnet”

          2: This rule blocks internet access
          Type: Block
          Protocol: Any or IPv4 or IPv4/IPv6 (whatever you are using)
          Source: xxx.xxx.xxx.xxx (the IP you want to block)
          Destination: Any

          You might need to put in allow rules to the pfSense DNS server, or NTP server before rule number 1 - incase your client uses that.

          Love the no fuss of using the official appliances :-)

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @vettalex
            last edited by Gertjan

            @vettalex said in Block internet for an ip in a certain interface:

            block an IP of the OPT network for browsing the internet

            Knowing that the IP is defined by you, as it is static.

            @vettalex said in Block internet for an ip in a certain interface:

            browsing the internet

            I presume you do this with a web browser. This implies ports 80 and 443. Both TCP.

            Now, all you need is a firewall, and set up a rule that states the source IP, and destination port 80 and 443, using protocol TCP.

            You can use pfSense for this 😊

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post