Block access to internet
my pfsense is set like this:
192.168.0.1 -255 is lan DHCP enabled
.1.1 - 255 is wan1
.2.1 - 255 is wan2
I use load balancing and failover.
Question: How do I block certain computers from lan to acces internet?
what is the best way to do it so the users can just visit Gmail or some other allowed web sites?
it's so easy but the correct question
if i block a computer on lan frpm accessing the internet he scan the network with any program and know the live hosts IP and their mac and he change his mac and his ip to another one similar to a live host
how can i block computer from accessing internet not by mac or ip but another fingerprint such as host name or processor vendor or any fingerprint ?
this is one solution using just pfsense.
you can create a lan firewall rule to block specific lan IPs to the internet.
then create another rule to allow those IPs to gmail's IP or what have you.
assuming that the end user does not have administrative rights on his own pc to change his IP or MAC as mohandshamada pointed out.
So how do I block someone with MAC adres for example 11:11:11:11 who has ip adress 192.168.0.25 to go to internet?
Add a firewall rule at the top of the list on the LAN interface:
Block Source: 192.168.0.25 other fields set to 'any'.
If the user changes their IP this will be circumvented.
best way I find that works to control internet access , set your lan to something like 172.16.0.1/23 or 172.16.0.1 /22 put dhcp on 172.16.0.0 /24 and create very restrictive fire wall rules for within this ip range then on range of 172.16.1.0 or higher leave it uncontrolled, or create a rule that leave out port 80 across the entire lan . then create an alias that enables port 80 for certain ips with in those ranges (you can just do it on a single ip range too give the upper half dhcp and the lower half static ( you can use captive portal for more restriction control but it will also have to block port 8000 as this is the port all port 80 get redirected through
this way any one who logs on to your system with dhcp will automatically be assigned into a highly controlled internet. and to access fully they have to connect by static ip and / or static arp . those you wish not to be controlled so much give them a static ip in the 172.16.1.0 range or higher .and create an alias for them that open all the ports or what form of access you want
it hard for them to cheat the system easily . since the only way for them to actually access the internet fully, is to use a static ip of one that already assigned to another computer. any other ip will will have very restrictive internet
if you just want them to access gmail the best is install mozilla thunder bird ( or any imap client) on go into gmail configuration and enable imap. then simply only allow ports 1-79 and 81 - 1000. do this on the for the ip range of 172.16.0.1 . this way they will be able to send receive emails. but will not be able to surf. ( for set up you need full access ( PORT 80) TO SET UP IMAP SETTING AUTOMATICALLY after that port 80 can be disabled again or enter setting in manually .. but otherwise you can do the same sort of thing create alias that allows certian ips to have access to certain websites while at the same time enabling port 80 or the entire port range for those particular ips
if you do not want to use a subnetmask you can install a second network lan and plug it into your switch with a different ip that you use a completely different ip range on. and that one you can use static ip, do not enable dhcp on this card.. it the same difference as above just less can go wrong and it a bit harder for someone to determine the ip range in use and more so if you using different switches to separate the allowed users and restricted users.
otherwise like mentioned before with out doing it this way. the user could simple give themselves a different ip but because it is static Ip based it makes surfing or stealing some else ip a real pain because most of the time nothing will work for accessing the internet. and if your hardware switches /equipment have some good network management on them they will lock out any duplicate ips right away as soon as the appear