Block Server IP Address, but Allow LAN Access
-
Could somebody please explain how to set up a pfsense firewall rule so that I block internet access to my computer with an IP of 192.168.4.2 while still allowing this computer access to my local network?
I tried adding a Block rule under Firewall-Rules-WAN, but I can still access the internet.
I'm still trying to learn my way around pfsense so I'm sure I've missed something, and this topic has most likely been posted before, but I've been unable to find any.
Thanks for helping me with this!
-
@jg2003 Rules are parsed in order from top to bottom..
Firewall rules affect the ingress for a particular interface. LAN traffic would be controlled on the LAN firewall rule.
On your LAN interface place a block rule from 192.168.4.2 with "Block". This rule will be above any other rule allowing traffic for that network.
That should be all you need to access the rest of your network. You will not be able to reach the firewall at all.
Anything to the rest of the network would be via the switch and never reach the firewall.
Triggering snowflakes one by one..
Primary- Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box. pfSense+
Lab Unit- Intel(R) Pentium(R) CPU G4400 @ 3.30GHz on an M470 WG box. pfSense CE 2.8.1 -
@jg2003 Keep in mind while your client doesn't need to talk to pfsense to talk to anything on its own local network. If you want to resolve say some resource that is resolved via dns running on pfsense, like host.home.arpa or something you would need to allow for this client to talk to dns (udp/tcp port 53) if running on pfsense.
You might also want to allow the client to talk to ntp, etc on pfsense? udp 123
-
@chpalmer said in Block Server IP Address, but Allow LAN Access:
@jg2003 Rules are parsed in order from top to bottom..
On your LAN interface place a block rule from 192.168.4.2 with "Block". This rule will be above any other rule allowing traffic for that network.
I tried your suggestion multiple times without success. I've populated the fields as such:
Action - Block
Interface - LAN
Address Family - IPv4
Protocol - TCP
Source - Address or Alias - 192.168.4.2
Destination - Any
Description - block_ip_aI also switched the source/destination around but it still wouldn't block the internet.
The rule is second down on the list after a rule that was created when setting up pfsense from a tutorial i followed (inteltechniques) which has a gear icon in the 'Actions' column, so I can't move it down on the list. Perhaps this is why it isn't working?
I'm also unsure if an alias needs to be created for this rule of not?
Any suggestions?
. -
@johnpoz said in Block Server IP Address, but Allow LAN Access:
@jg2003 Keep in mind while your client doesn't need to talk to pfsense to talk to anything on its own local network. If you want to resolve say some resource that is resolved via dns running on pfsense, like host.home.arpa or something you would need to allow for this client to talk to dns (udp/tcp port 53) if running on pfsense.
You might also want to allow the client to talk to ntp, etc on pfsense? udp 123
I'm using an access point in front of the pfsense so local traffic should still be able to communicate without the pfsense.
I will need some time to figure the dns settings has you've mentioned, as I'm still in the learning curve of pfsense. I will spend some time to try and figure it out though.
-
@jg2003 said in Block Server IP Address, but Allow LAN Access:
The rule is second down on the list after a rule that was created when setting up pfsense from a tutorial i followed (inteltechniques) which has a gear icon in the 'Actions' column, so I can't move it down on the list. Perhaps this is why it isn't working ?
Show us, and we'll tell you.
Example :
My LAN uses 192.168.1.1/24, as that from the official Netgate pfSense tuto.
On my LAN I have a POC with the IPv4 192.168.1.7
I created this :
I put this rule on the top, so no 'maybe' or 'perhaps'.
This rule only blocks TCP traffic and doesn't block UDP, ICMP, so DHCP, NTP, and partial DNS is still possible.
But web requests, as is most traffic = TCP - will hit the wall.
Also, this rue only blocks IPv4, which means that all IPv6 traffic will still pass. This only matters if you actually use IPv6 on your LANs and WAN.edit : as soon as I created the "192.168.1.7" block rule, the hit counter started to raise : this means it's doing it's job : traffic gets stopped.
-
-
I did find a way to block the gateway (without using pfsense) on my ubuntu computer by using this command in the terminal:
sudo ip route replace default via <fake_gateway>
It does work instantly as using the ping command to 8.8.8.8 shows the host unreachable and using the update command in the terminal is also unsuccessful.
Returning it to the original gateway ip makes the internet connection active again.
However, blocking the internet while keeping the local network active is something that I may do once a week, once a day, or possibly several times a day. So not sure if constantly changing the gateway will cause a problem over time?
-
I see that I can disable the Anti-Lockout Rule by clicking on the gear under 'Actions' and scrolling down to this checkbox:
Disable webConfigurator anti-lockout rule When this is unchecked, access to the webConfigurator on the LAN interface is always permitted, regardless of the user-defined firewall rule set. Check this box to disable this automatically added rule, so access to the webConfigurator is controlled by the user-defined firewall rules (ensure a firewall rule is in place that allows access, to avoid being locked out!)
I am concerned about being locked out though. When creating another firewall rule to allow access (and avoid being locked out), would I add another rule for another computer ip address in my lan that has 'Action' set to pass?
-
@jg2003 said in Block Server IP Address, but Allow LAN Access:
... cause a problem over time?
Noop.
During thousands of years devices weren't connected at all. I recall no issues what so ever (our choos worn out faster though). We did use floppies and USB thumb drives a lot.
You should be more worried about the person using this device. "No Internet" can do strange things with them.@jg2003 said in Block Server IP Address, but Allow LAN Access:
I am concerned about being locked out though.
Then keep it.
In the beginning, we all understood how it (pfSense) worked. Then we (me to start with) m*ssed up, and this "anti shoot in the foot" rule protected us (me). Even better : it protected me, me not knowing about it. -
With the set up I have that's shown in the above image, it does block updates through the terminal command. And I do see the hit counter going up.
I am however, still able to successfully ping 8.8.8.8
-
@jg2003 said in Block Server IP Address, but Allow LAN Access:
I am however, still able to successfully ping 8.8.8.8
well your block rule there is only tcp, ping is icmp.. So yeah your default any any rule that is on the lan would allow you to ping 8.8.8.8
Make your block rule just IPv4, ie any port or protocol. But then again you might want to be able to talk dns and ntp, so put a rule above your block that allows dns and ntp to pfsense lan address.
-
Make your block rule just IPv4, ie any port or protocol. But then again you might want to be able to talk dns and ntp, so put a rule above your block that allows dns and ntp to pfsense lan address.
Following your suggestion blocks internet access but allows network traffic. I'm not able to update my system or ping ip addresses outside of my network when the pfsense lan firewall rules are enabled.
Thanks so much for all the helpful suggestions!
