I'm so noob. How do I block an internal IP from WAN access?
Lets say I have a LAN computer with IP 192.168.1.45
How do I make it so that the computer can communicate fine on the LAN, but cannot access the internet/wan?
Use FW Rules to block trafic form that IP to WAN ( check Docs / wiki )
I did that, I think. Under the LAN tab, here is the entry:
Block * 192.168.1.45 * * * *
.. and that machine can still access the internet.
Is that block rule at the top of the list? (first match wins)
Are you using squid or something else that would be bypassing that rule?
Did you reset states? See Diagnostics -> States, click on Reset States.
Yes, its at the top of the list.
And yes, I'm using the transparent proxy option on Squid (didn't even think about that!).
Blocking that IP on squid now.
(I tried "reset states" too, but it definitely seems like it was Squid still allowing access)
If you want to access the pfSense web GUI from 192.168.1.45 you'll need a PASS rule for that.
Yeah, squid would do that for sure. Squid puts in a rule, above where the user rules go, to pass traffic into the proxy. If you block it in squid it should be enough.
In squid, which do I use to block it?
General tab -> Bypass proxy for these source IPs
Access Control tab -> Banned host addresses
Either of those may get the job done.
Update: Some progress, but not working, and we're back to the firewall.
I successfully bypassed Squid, proven by no longer seeing that IP address in the Squid logs once I edited those fields mentioned above.
That machine still has internet access. The firewall rule is set as I described in my first post, and it resides at the top of the table that the pfsense GUI displays. I also did "reset states". Any other ideas? A friend said he was trying something similar, and he had to reset the router, does that sound right? (It doesn't to me) (he is running 2.0, I'm running 1.2.3)
You may have to actually put it through squid and block it there.
After thinking longer, the bypass proxy box only changes the NAT rule directing traffic into the proxy, not the rule allowing the traffic to hit the proxy.
OK, fixed. Thanks Jimp!!
I left the firewall rule to handle things other than port 80.
As Jimp implied, leave "General tab -> Bypass proxy for these source IPs" blank.
Place the IP in "Access Control tab -> Banned host addresses" and that should take care of port 80.