Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block access from lan to an internet ip

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 6 Posters 9.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bilbus
      last edited by

      I am trying to block access to a ip address (178.32.68.70) really the whole subnet.

      So i created a alias, and added 178.32.68.0 /24 to it.

      I added this LAN block rule

      Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

          • Blocked_sites *     *                                         test

      I also added a WAN block rule

      Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

      • Blocked_sites *               *   *                 test1

      Both rules are at the top of the list.

      Even after waiting for a reload .. i still can acces the website, any ideas?

      1 Reply Last reply Reply Quote 0
      • C
        clarknova
        last edited by

        Reset your states. If you have an existing state, the block rule will not end that.

        db

        1 Reply Last reply Reply Quote 0
        • B
          bilbus
          last edited by

          i reset the states, still is not blocking

          1 Reply Last reply Reply Quote 0
          • T
            tommyboy180
            last edited by

            reboot

            -Tom Schaefer
            SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

            Please support pfBlocker | File Browser | Strikeback

            1 Reply Last reply Reply Quote 0
            • B
              bilbus
              last edited by

              rebooted, still no go.

              1 Reply Last reply Reply Quote 0
              • C
                clarknova
                last edited by

                Can you post a screen shot of your rules?

                db

                1 Reply Last reply Reply Quote 0
                • T
                  tommyboy180
                  last edited by

                  The rules are above in text.

                  Lets go back to basics. Can you ping the IP address in your Blocked_sites alias. Please reply with the output.

                  -Tom Schaefer
                  SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                  Please support pfBlocker | File Browser | Strikeback

                  1 Reply Last reply Reply Quote 0
                  • B
                    bilbus
                    last edited by

                    Yup i can ping it.

                    Thanks

                    pic.jpg
                    pic.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • T
                      tommyboy180
                      last edited by

                      Your rules are correct.

                      Add just one IP address that you want to block at the top of the lan, use IP 178.32.68.70
                      Make sure you get a sucessful ping from 178.32.68.70 before applying the rule.

                      Reboot

                      Now try to ping 178.32.68.70

                      Results?

                      -Tom Schaefer
                      SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                      Please support pfBlocker | File Browser | Strikeback

                      1 Reply Last reply Reply Quote 0
                      • C
                        clarknova
                        last edited by

                        Stranger still is the fact that when I ping that site I get no reply.

                        db

                        1 Reply Last reply Reply Quote 0
                        • R
                          Rezin
                          last edited by

                          Do you have the Squid package installed?

                          @clarknova:

                          Stranger still is the fact that when I ping that site I get no reply.

                          I can't ping 178.32.68.70 either, so they must have disabled replies.

                          1 Reply Last reply Reply Quote 0
                          • T
                            tommyboy180
                            last edited by

                            Hmm. That IP address is not responding for me either. So that's not a good example.

                            You see where I was getting at though. Narrow the issue down a little more. Try to block a single address. Don't forget to reboot.

                            Then go from there.

                            -Tom Schaefer
                            SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                            Please support pfBlocker | File Browser | Strikeback

                            1 Reply Last reply Reply Quote 0
                            • C
                              clarknova
                              last edited by

                              @tommyboy180:

                              Hmm. That IP address is not responding for me either. So that's not a good example.

                              Well, isn't it a little odd that bilbus says he can ping it?

                              db

                              1 Reply Last reply Reply Quote 0
                              • T
                                tommyboy180
                                last edited by

                                That was a day ago though, the host may be down.

                                -Tom Schaefer
                                SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                Please support pfBlocker | File Browser | Strikeback

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bilbus
                                  last edited by

                                  ya i cant ping it anymore now either from home or work. It was a virus infected webserver trying to infect users with adware. Guess they were kicked offline.

                                  I added a few reliable test hosts to my blocked file list, and i can still ping them.

                                  I have these addresses on my block list

                                  178.32.68.66/32, 178.32.68.0/24, 188.124.5.162/24, 198.6.1.2/32

                                  the 198.6.1.2 is a UUnet dns server so its pingable and always online.

                                  No matter what i do i can not get these rules to stick. I am able to do dmz to lan rules just fine.

                                  Only proxy i have installed is havp

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tommyboy180
                                    last edited by

                                    hmm. I will test when I get home today and make a step by step.

                                    -Tom Schaefer
                                    SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                    Please support pfBlocker | File Browser | Strikeback

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bilbus
                                      last edited by

                                      anyone have any ideas?

                                      1 Reply Last reply Reply Quote 0
                                      • Cry HavokC
                                        Cry Havok
                                        last edited by

                                        You are trying the ping from a LAN host, not the pfSense host?

                                        Also, an answer to@Rezin:

                                        Do you have the Squid package installed?

                                        would be useful.

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          bilbus
                                          last edited by

                                          no squid.

                                          Ya i am pinging from my desktop on the lan

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            shadowadepts
                                            last edited by

                                            in my dealings blocking an entire subnet you have to make sure that you rules are in the correct place in the rules list (top before allow rules). secondly if you restart your pfsense by no mean asume that clients will get updated automatically unless directly connected. ipconfig /release, /flushdns, /renew or your Os' equivalent.

                                            Also blocking the route to the subnet seems to prevent connects better.(IMHO)
                                            so that would look like

                                            *  Blocked_sites  *  LAN net  *  *
                                            *  Blocked_sites  *  WAN net  *  *

                                            Try blocking the remote DNS address if possible

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.