Block multiple IP ranges on WAN



  • Hello All,

    I know this has to be an easy answer, but I've been searching for about 6 hours now.

    Here's the bottom line - I live in China and our local PSB office has a department setup specifically for pinging all the clients that are connected to our internet service.  I've been paying attention to all the IP's that are trying to access our lan machines over the last 18 months and I have the majority of the IP ranges I'd like to block recorded.

    However, In my true ignorance I've struggled with finding a way to block an IP range on the WAN

    For example, I need to block all in and out communications for the IPS (example IPs) 201.111.137.64 - 201.111.137.95.

    I'd rather not go in and write 31 rules - there has to be a better way?  Furthermore, there are about 3 different sets of IP ranges just like this I need to block, so I'd have to write well over 100 rules just to get the desired result.

    Again, I apologize for how stupid this question could potentially be!

    Cheers!



  • I would set up an alias of the networks (ip ranges) and just create one blocking rule with the alias as the source.
    When you need to amend the ip addresses you just change the alias. Your rules list will remain clean with just the one block rule.



  • whew - thanks for the advice.  However, am I still going to have to put in over 100 IP addresses in the alias page.  There seems to be no way to actually just set a range… they want every single damn IP listed out one by one.



  • Never mind, spoke to soon!

    Networks type allows you to enter entire IP ranges to be blocked.

    Been looking for this forever.  Thanks so much for your reply!

    Brian

    //

    I take this back - I set up the ranges I wanted to block as an alias which turned out to look like xxx.xxx.xxx.xxx/27 - once I went in to the firewall rules and setup the attached rules for the WAN interface…  it's still letting traffic through since I can ping all the IP's in the listed range.

    Thoughts?

    ![Screen shot 2011-02-12 at 1.32.01 PM.png](/public/imported_attachments/1/Screen shot 2011-02-12 at 1.32.01 PM.png)
    ![Screen shot 2011-02-12 at 1.32.01 PM.png_thumb](/public/imported_attachments/1/Screen shot 2011-02-12 at 1.32.01 PM.png_thumb)



  • If you want to block both in and out you need one rule on the wan specifying the source as the alias and also a block rule on the Lan tab with the destination set to the alias.

    there are plenty of online CIDR calculators to work out the correct notation for your network range.


Log in to reply