I'm so noob. How do I block an internal IP from WAN access?

trentdk

Lets say I have a LAN computer with IP 192.168.1.45

How do I make it so that the computer can communicate fine on the LAN, but cannot access the internet/wan?

ptt

Use FW Rules to block trafic form that IP to WAN ( check Docs / wiki )

trentdk

I did that, I think. Under the LAN tab, here is the entry:

Block * 192.168.1.45 * * * *

.. and that machine can still access the internet.

jimp

Is that block rule at the top of the list? (first match wins)

Are you using squid or something else that would be bypassing that rule?

wallabybob

Did you reset states? See Diagnostics -> States, click on Reset States.

trentdk

Yes, its at the top of the list.

And yes, I'm using the transparent proxy option on Squid (didn't even think about that!).

Blocking that IP on squid now.

(I tried "reset states" too, but it definitely seems like it was Squid still allowing access)

wallabybob

If you want to access the pfSense web GUI from 192.168.1.45 you'll need a PASS rule for that.

jimp

Yeah, squid would do that for sure. Squid puts in a rule, above where the user rules go, to pass traffic into the proxy. If you block it in squid it should be enough.

trentdk

In squid, which do I use to block it?

General tab -> Bypass proxy for these source IPs
Access Control tab -> Banned host addresses

jimp

Either of those may get the job done.

trentdk

Update: Some progress, but not working, and we're back to the firewall.

I successfully bypassed Squid, proven by no longer seeing that IP address in the Squid logs once I edited those fields mentioned above.

That machine still has internet access. The firewall rule is set as I described in my first post, and it resides at the top of the table that the pfsense GUI displays. I also did "reset states". Any other ideas? A friend said he was trying something similar, and he had to reset the router, does that sound right? (It doesn't to me) (he is running 2.0, I'm running 1.2.3)

jimp

You may have to actually put it through squid and block it there.

After thinking longer, the bypass proxy box only changes the NAT rule directing traffic into the proxy, not the rule allowing the traffic to hit the proxy.

trentdk

OK, fixed. Thanks Jimp!!

I left the firewall rule to handle things other than port 80.

For Squid:
As Jimp implied, leave "General tab -> Bypass proxy for these source IPs" blank.
Place the IP in "Access Control tab -> Banned host addresses" and that should take care of port 80.