Block access from lan to an internet ip



  • I am trying to block access to a ip address (178.32.68.70) really the whole subnet.

    So i created a alias, and added 178.32.68.0 /24 to it.

    I added this LAN block rule

    Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

        • Blocked_sites *     *                                         test

    I also added a WAN block rule

    Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

    • Blocked_sites *               *   *                 test1

    Both rules are at the top of the list.

    Even after waiting for a reload .. i still can acces the website, any ideas?



  • Reset your states. If you have an existing state, the block rule will not end that.



  • i reset the states, still is not blocking



  • reboot



  • rebooted, still no go.



  • Can you post a screen shot of your rules?



  • The rules are above in text.

    Lets go back to basics. Can you ping the IP address in your Blocked_sites alias. Please reply with the output.



  • Yup i can ping it.

    Thanks




  • Your rules are correct.

    Add just one IP address that you want to block at the top of the lan, use IP 178.32.68.70
    Make sure you get a sucessful ping from 178.32.68.70 before applying the rule.

    Reboot

    Now try to ping 178.32.68.70

    Results?



  • Stranger still is the fact that when I ping that site I get no reply.



  • Do you have the Squid package installed?

    @clarknova:

    Stranger still is the fact that when I ping that site I get no reply.

    I can't ping 178.32.68.70 either, so they must have disabled replies.



  • Hmm. That IP address is not responding for me either. So that's not a good example.

    You see where I was getting at though. Narrow the issue down a little more. Try to block a single address. Don't forget to reboot.

    Then go from there.



  • @tommyboy180:

    Hmm. That IP address is not responding for me either. So that's not a good example.

    Well, isn't it a little odd that bilbus says he can ping it?



  • That was a day ago though, the host may be down.



  • ya i cant ping it anymore now either from home or work. It was a virus infected webserver trying to infect users with adware. Guess they were kicked offline.

    I added a few reliable test hosts to my blocked file list, and i can still ping them.

    I have these addresses on my block list

    178.32.68.66/32, 178.32.68.0/24, 188.124.5.162/24, 198.6.1.2/32

    the 198.6.1.2 is a UUnet dns server so its pingable and always online.

    No matter what i do i can not get these rules to stick. I am able to do dmz to lan rules just fine.

    Only proxy i have installed is havp



  • hmm. I will test when I get home today and make a step by step.



  • anyone have any ideas?



  • You are trying the ping from a LAN host, not the pfSense host?

    Also, an answer to@Rezin:

    Do you have the Squid package installed?

    would be useful.



  • no squid.

    Ya i am pinging from my desktop on the lan



  • in my dealings blocking an entire subnet you have to make sure that you rules are in the correct place in the rules list (top before allow rules). secondly if you restart your pfsense by no mean asume that clients will get updated automatically unless directly connected. ipconfig /release, /flushdns, /renew or your Os' equivalent.

    Also blocking the route to the subnet seems to prevent connects better.(IMHO)
    so that would look like

    *  Blocked_sites  *  LAN net  *  *
    *  Blocked_sites  *  WAN net  *  *

    Try blocking the remote DNS address if possible


Log in to reply