Is there a way to block individual LAN IP's from accessing the WAN?



  • Hi guys, there are certain times that i need to be able to cut certain IP's off from accessing the net via the WAN (i would like to be able to also cut them off from accessing the LAN as well if possible, but not crucial).

    On standalone routers, i used to just block all ports and all protocols with that IP as a destination…but the same treatment doesnt seem to work in Pfsense, and im not sure why.

    I have a catch-all rule in place...but im placing these specific rules above the catch-all, so it should follow the specific rules before it gets to the general 'catch-all' shouldnt it? (the top of the list is the first rule it follows isnt it? or have i got it back to front)?

    Any help would be appreciated, thanks guys.



  • on which interface did you create the rule?
    rules are applied on the interface on which the traffic comes in.
    so if you want to block an IP on the LAN you need to create the rule on the LAN tab.

    could you post a screenshot fo your rules?



  • this has a very simple solution. first create an ALIAS. for example, BLACKLISTED. now, as possibly the first rule in your LAN list, create a rule with source of ALIAS/BLACKLISTED, protocol ANY, destination ANY, action BLOCK/DROP/REJECT/whatever. as needed, add/remove ips from the BLACKLISTED alias, which can be a list of (almost) any length.



  • hmmm i think that Alias thing has worked…thanks.

    Oddly enough, even though i created it in the LAN tab, i can still access LAN resources (other comps, LAN camera servers etc) but not the WAN. Which is the main thing.



  • glad it's working, though after re-reading your original question i believe i misunderstood the first time. to block WAN hosts from reaching LAN hosts, you need to block via WAN rules. LAN rules block LAN hosts from reaching WAN.

    and now to clarify; these rules mostly apply only to the START of conversations; if you allow a WAN host to contact a LAN host, that LAN host will likely be able to talk to the WAN host regardless of rules placed in in the LAN tab - that's due to 'state' being set. basically, the firewall remembers that you allowed the start of the conversation, and assumes the rest of the conversation is ok too. not all stand-alone routers have stateful firewalls and behave this intelligently - so you have to plan your rules accordingly.



  • Blocking LAN computers from accessing other LAN computer can't really be done effectively at the router. Communications between PCs on the LAN are done directly, not through the router.

    You could do it from a managed switch by blocking the individual port.
    Or just unplug the PC from the switch.
    Or have a short dhcp lease time and prevent the PC from obtaining an IP. I wouldn't go shorter then a few hours though, especially if you have a lot of boxes.

    Using the alias to block outside communications is a good idea. The rule on the LAN tab will catch most traffic, to be sure  you could also create a rule on the WAN tab to block communications with the destination of the blacklist group.



  • @tedced:

    Blocking LAN computers from accessing other LAN computer can't really be done effectively at the router. Communications between PCs on the LAN are done directly, not through the router.

    You could do it from a managed switch by blocking the individual port.
    Or just unplug the PC from the switch.
    Or have a short dhcp lease time and prevent the PC from obtaining an IP. I wouldn't go shorter then a few hours though, especially if you have a lot of boxes.

    Using the alias to block outside communications is a good idea. The rule on the LAN tab will catch most traffic, to be sure  you could also create a rule on the WAN tab to block communications with the destination of the blacklist group.

    So what you and BugeyeD are saying is in addition to the rule BugeyeD setout above for the LAN tab…create the reciprocal rule in the WAN tab to block both sides of the "conversation"?

    Ill do that now.

    Also, point taken about the blocking LAN traffic thing. Its not a major concern, as most of the time i just want the WAN access removed, but want LAN to remain so the internal network can carry on as per normal. And i suppose another way to do the LAN thing, is to give every comp a static DHCP listing, then select "disallow unknown" or whatever the option is called, from obtaining a LAN IP, and just flush the states so the target computers are off the LAN as well. Though that will be a far more rare occurrence than the Blacklist Alias.

    Thanks guys.


Log in to reply