Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I'm so noob. How do I block an internal IP from WAN access?

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      trentdk
      last edited by

      Lets say I have a LAN computer with IP 192.168.1.45

      How do I make it so that the computer can communicate fine on the LAN, but cannot access the internet/wan?

      pfSense 2.0 BETA at home, pfSense 1.2.3 at work

      1 Reply Last reply Reply Quote 0
      • pttP Offline
        ptt Rebel Alliance
        last edited by

        Use FW Rules to block trafic form that IP to WAN ( check Docs / wiki )

        1 Reply Last reply Reply Quote 0
        • T Offline
          trentdk
          last edited by

          I did that, I think. Under the LAN tab, here is the entry:

          Block * 192.168.1.45 * * * *

          .. and that machine can still access the internet.

          pfSense 2.0 BETA at home, pfSense 1.2.3 at work

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            Is that block rule at the top of the list? (first match wins)

            Are you using squid or something else that would be bypassing that rule?

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • W Offline
              wallabybob
              last edited by

              Did you reset states? See Diagnostics -> States, click on Reset States.

              1 Reply Last reply Reply Quote 0
              • T Offline
                trentdk
                last edited by

                Yes, its at the top of the list.

                And yes, I'm using the transparent proxy option on Squid (didn't even think about that!).

                Blocking that IP on squid now.

                (I tried "reset states" too, but it definitely seems like it was Squid still allowing access)

                pfSense 2.0 BETA at home, pfSense 1.2.3 at work

                1 Reply Last reply Reply Quote 0
                • W Offline
                  wallabybob
                  last edited by

                  If you want to access the pfSense web GUI from 192.168.1.45 you'll need a PASS rule for that.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Yeah, squid would do that for sure. Squid puts in a rule, above where the user rules go, to pass traffic into the proxy. If you block it in squid it should be enough.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • T Offline
                      trentdk
                      last edited by

                      In squid, which do I use to block it?

                      General tab -> Bypass proxy for these source IPs
                      Access Control tab -> Banned host addresses

                      pfSense 2.0 BETA at home, pfSense 1.2.3 at work

                      1 Reply Last reply Reply Quote 0
                      • jimpJ Offline
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Either of those may get the job done.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          trentdk
                          last edited by

                          Update: Some progress, but not working, and we're back to the firewall.

                          I successfully bypassed Squid, proven by no longer seeing that IP address in the Squid logs once I edited those fields mentioned above.

                          That machine still has internet access. The firewall rule is set as I described in my first post, and it resides at the top of the table that the pfsense GUI displays. I also did "reset states". Any other ideas? A friend said he was trying something similar, and he had to reset the router, does that sound right? (It doesn't to me) (he is running 2.0, I'm running 1.2.3)

                          pfSense 2.0 BETA at home, pfSense 1.2.3 at work

                          1 Reply Last reply Reply Quote 0
                          • jimpJ Offline
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            You may have to actually put it through squid and block it there.

                            After thinking longer, the bypass proxy box only changes the NAT rule directing traffic into the proxy, not the rule allowing the traffic to hit the proxy.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • T Offline
                              trentdk
                              last edited by

                              OK, fixed. Thanks Jimp!!

                              I left the firewall rule to handle things other than port 80.

                              For Squid:
                              As Jimp implied, leave "General tab -> Bypass proxy for these source IPs" blank.
                              Place the IP in "Access Control tab -> Banned host addresses" and that should take care of port 80.

                              pfSense 2.0 BETA at home, pfSense 1.2.3 at work

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.