Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN access blocking

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      I'm trying to block a set of IPs on LAN from accessing WAN. I have never had any problems with that but now, for some reason, it does not work.
      On the same computer (192.168.0.3) I'm running SABnzdb and even if i block it still downloads.

      When I ping the outside world (from 192.168.0.3) when the rule is disabled it resolves the hostname. When I enable the rule the hostname is removed. See a copy of the the ping session below

      
64 bytes from www.vg.no (195.88.55.16): icmp_req=285 ttl=246 time=200 ms <- rule disabled
64 bytes from www.vg.no (195.88.55.16): icmp_req=286 ttl=247 time=196 ms <- rule disabled
64 bytes from 195.88.55.16: icmp_req=287 ttl=246 time=69.1 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=288 ttl=246 time=32.2 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=289 ttl=246 time=15.2 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=290 ttl=247 time=87.1 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=291 ttl=246 time=15.4 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=292 ttl=247 time=14.0 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=293 ttl=246 time=12.7 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=294 ttl=247 time=12.9 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=295 ttl=246 time=12.2 ms <- rule enabled
64 bytes from www.vg.no (195.88.55.16): icmp_req=296 ttl=247 time=14.1 ms <- rule disabled
64 bytes from www.vg.no (195.88.55.16): icmp_req=297 ttl=246 time=14.3 ms <- rule disabled
64 bytes from www.vg.no (195.88.55.16): icmp_req=298 ttl=247 time=118 ms <- rule disabled

      I'm running pfSense on ESXI 4.1 with dedicated NICs but that should not interfere. I'm about to reinstall pfSense as I'm pretty sure I enabled/disabled something that I should not have but that's a lot of work.

      Any help would be much a preciated. :)
      rules.jpg
      rules.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        In the advanced options of the block rule, change the state type to None. The problem you are most likely having is that the state is still open while you are testing. If there is an open state, the data will continue to flow.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Putting state type to none won't do anything for that. You have to kill the state, firewall rule changes on every firewall only impact new connections, not already-passed ones.

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            Thanks for the reply.
            So there is no way to automatically kill already-passed connection when the block rule kicks in?

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              @mjorud:

              So there is no way to automatically kill already-passed connection when the block rule kicks in?

              No. That's true of pretty much every commercial and open source firewall (I'm not aware of any that do that and I've worked with pretty much all of them, there may be some though).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.