Block access to internet



  • Hello,

    my pfsense is set like this:

    192.168.0.1 -255 is lan DHCP enabled
    .1.1 - 255 is wan1
    .2.1 - 255 is wan2

    I use load balancing and failover.
    Question: How do I block certain computers from lan to acces internet?
    what is the best way to do it so the users can just visit Gmail or some other allowed web sites?



  • it's so easy but the correct question

    if i block a computer on lan frpm accessing the internet he scan the network with any program and know the live hosts IP and their mac and he change his mac and his ip to another one similar to a live host
    how can i block computer from accessing internet not by mac or ip but another fingerprint such as host name or processor vendor or any fingerprint ?



  • hsoldo.

    this is one solution using just pfsense.

    you can create a lan firewall rule to block specific lan IPs to the internet.
    then create another rule to allow those IPs to gmail's IP or what have you.

    assuming that the end user does not have administrative rights on his own pc to change his IP or MAC as mohandshamada pointed out.



  • So how do I block someone with MAC adres for example 11:11:11:11 who has ip adress 192.168.0.25 to go to internet?


  • Netgate Administrator

    Add a firewall rule at the top of the list on the LAN interface:
    Block    Source: 192.168.0.25  other fields set to 'any'.

    If the user changes their IP this will be circumvented.

    Steve



  • best way I find that works  to control internet access ,  set your  lan to something like 172.16.0.1/23  or 172.16.0.1 /22 put dhcp on 172.16.0.0 /24 and  create  very restrictive  fire wall rules for within this ip range  then on range of 172.16.1.0  or higher leave it uncontrolled,  or create  a rule that leave out port 80  across the entire lan .  then create an alias  that enables port 80 for certain ips  with in those ranges  (you can just do it on a single ip range too  give the upper half dhcp and the lower half  static ( you can use captive portal for more restriction control  but it will also have to block  port 8000 as this is the port all port 80 get redirected through

    this way any one who logs on to your system with dhcp will automatically be assigned into a highly  controlled  internet. and to access fully they have to connect by static  ip and / or static arp  . those you wish not to be controlled so much  give them a static ip in the  172.16.1.0 range or higher .and create an alias for them that  open all the ports  or what form of access you want

    it  hard for them to  cheat the system easily  . since the only  way for them to actually access the internet  fully, is to use a static ip of one that already assigned to another computer. any other ip  will will have very restrictive  internet

    if you just want them to access gmail the best is  install mozilla thunder bird ( or any imap client)  on  go into gmail configuration  and enable imap. then simply  only allow ports 1-79 and 81 - 1000. do this on the  for the ip range of 172.16.0.1  .  this way they will be able to send receive emails. but will not be able to surf. ( for set up you need full access ( PORT 80)  TO SET UP IMAP SETTING AUTOMATICALLY  after that port 80 can be disabled again or enter setting in manually  .. but otherwise  you can do the same sort of thing  create alias that allows certian ips to have access to certain websites while at the same time enabling port 80 or the entire port range for those  particular ips

    if you do not want to use a subnetmask  you can  install a second network lan  and plug it into your switch  with a different ip that you use a completely different ip range on.  and that one you can use  static ip, do not enable dhcp on this card..  it the same difference  as above  just less can go wrong and it  a bit harder for someone to determine  the ip range in use and more so if you using different switches to separate the  allowed users and restricted users.

    otherwise like mentioned before with out doing it this way. the user could simple  give themselves a different ip    but because it is static Ip based  it makes surfing  or stealing  some else ip a real pain because most of the time nothing will work for accessing the internet. and if your hardware  switches /equipment  have some good  network  management  on them    they will lock out  any  duplicate ips right away as soon as the appear


Log in to reply