Blocked hosts not blocked?



  • Hi,
    We're using pfSense in a quite big environment (>1000 clients) which the clients are mostely smartphones/laptops from teenagers..
    Whom ofcourse use torrent to download and all things like that. Which for us isn't a problem.

    The only problem is: We've got an 150/10 cable connection, so if someone starts seeding a torrent for example we're out of bandwith easily.

    So we've got some guys who monitor the network and block hosts when needed. In order to do that we've got a few things set up.

    1. Our LAN IP Range is 172.16.0.254/20
    2. Our standard DHCP range is 172.16.2.0-172.16.14.254 for which 172.16.0.0/172.16.1.254 are reserved for IT Equipment (Switches, access point, etc.) and 172.16.15.0/24 belongs to the 'blocked hosts'
    3. When someone is using to much bandwith we add a static DHCP lease for that MAC Address, this puts him in the .15.x range. pfSense is setup to block all traffic from that range except for 2 servers: 172.16.0.50 and 172.16.0.11.
    4. For the blocked hosts group the DNS is automaticly set to 172.16.0.50 which resolves all hosts to 172.16.0.11. We've tested it and it works to our needs.

    But now for the problems. Currently we have a host using 10Mbit of our upload speed.. which is practically all of it. We've ended his lease, put him into the .15.x range. and reset the states.
    Only the traffic graphs shows that 172.16.15.5 (which is the host I'm talking about) is is still uploading at 10Mbit…

    And that's what I can't figure out. The firewall rulles are as follows.

    WAN - 1st Rule:
    *Source: 172.16.15.0/24
    *Dest: !blocked_allowed (this alias holds the 2 internal IP's mentioned above)
    *Action: Reject (tried block as well)

    LAN - 1st Rule:
    *Source 172.16.15.0/24
    *Dest: !blocked_allowed
    *Action: block

    LAN - 2nd Rule:
    *Source: !blocked_allowed
    *Destination: 172.16.15.0/24
    *Action: Block

    With those rules in effect, it's still not working.

    Any suggestions are appericiated :)


  • Banned

    Intra-LAN traffic never hits the firewall. So yeah, they will NOT ever get blocked like this.



  • @doktornotor:

    Intra-LAN traffic never hits the firewall. So yeah, they will NOT ever get blocked like this.

    It's not about intra LAN traffic. It's  about the host not getting to the internet.


  • Banned

    @aTastyAim:

    It's not about intra LAN traffic. It's  about the host not getting to the internet.

    Great. Excellently fits the "Blocked hosts not blocked" subject. Next time you decide to waste other people's time, I'll be out of the game. Improve your description skills, since the problem is absolutely NOT clear even after re-reading the entire post a couple of times. You fail, try again. Leave the fancy teenager story out and post some facts and useful info.



  • Well, let's not start a flame here..
    I'm just doing an attempt… yes my description skills are not as good as you'd probaly excpect from me. Maybe you could clarify what isn't quite clear.

    So: To be more clear for you..
    I've got a subnet. 172.16.15.0/24
    The hosts in that subnet should be denied internet access.

    So, after a while of messing with those rules. I put up the following:
    If: WAN
    Source: 172.16.15.0/24
    Dest: Any
    Action: Block

    If: WAN
    Source: Any
    Dest: 172.16.15.0/24
    Action: Block

    Those rules are put on top of the list… but after a state reset/reboot those doesn't seem to work. UPnP is disabled...
    The host we are using to test the internet block is still capable of uploading/downloading.

    Better?



  • WAN - 1st Rule:
    *Source: 172.16.15.0/24
    *Dest: !blocked_allowed (this alias holds the 2 internal IP's mentioned above)
    *Action: Reject (tried block as well)

    LAN - 1st Rule:
    *Source 172.16.15.0/24
    *Dest: !blocked_allowed
    *Action: block

    LAN - 2nd Rule:
    *Source: !blocked_allowed
    *Destination: 172.16.15.0/24
    *Action: Block

    WAN 1st rule - that will not have any practical effect because 172.16.15.0/24 addresses should never be appearing as source on incoming WAN packets
    LAN 1st rule - yes, that should do the trick
    LAN 2nd rule - there should be no packets arriving on LAN that have a destination 172.16.15.0/24 (because LAN devices would deliver them directly to the client), so this rule also should not match anything in practice.

    But yes, LAN 1st rule should do the trick, and after clearing states the block should be in effect.
    I do this for my ordinary DHCP range - anyone who brings a new device and connects it, gets DHCP in a range like this that has internet blocked. This makes them come to IT, then we know they exist, determine their needs (or otherwise) and allocate them a static-mapped DHCP entry in a range that has appropriate rules/shaper/limiter for them. It works.

    Are there any other rules above LAN 1st rule? (I guess not)
    Post screenshots of LAN rules and maybe we can spot a typo or?


Log in to reply