Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow/Block Internet Access to selected IPs

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      noriel
      last edited by

      We have 5 computer laboratory with 30-40 PC each

      I created an Allias with IPs of PCs on each lab

      Allias1 has the IPs of computers on Lab1

      Allias2 has the IPs of computers on Lab2

      Allias3 has the IPs of computers on Lab3

      Allias4 has the IPs of computers on Lab4

      Allias5 has the IPs of computers on Lab5

      Now I want to block or allow Internet access on selected Labs… How can I do that?

      for example:

      I just want Lab1 to have access to the internet for now... other Labs shouldnt have access to Internet...

      and I can change anytime which Lab should have internet access..

      HOW? Thanks

      CLICK ME for some pfSense basic but useful guides for newbies like me

      1 Reply Last reply Reply Quote 0
      • P
        P3R
        last edited by

        Go to Firewall, Rules in the web admin interface and select the internal interface to which the labs are connected. Maybe it's the LAN interface?

        Then add allow rules (Action: Pass) where each of the aliases are used as source address. On the the labs that currently shouldn't have internet access you you tick the Disable this rule box.

        At the bottom of the same page you add a reject rule for all traffic on the network.

        Later when you want to change which labs that should have or not have internet access you only need to edit the rule in question and toggle the Disable this rule box.

        1 Reply Last reply Reply Quote 0
        • N
          noriel
          last edited by

          @P3R:

          At the bottom of the same page you add a reject rule for all traffic on the network.

          i dont get this one

          you mean I'll create another rule to block all traffic?

          thanks

          CLICK ME for some pfSense basic but useful guides for newbies like me

          1 Reply Last reply Reply Quote 0
          • P
            P3R
            last edited by

            @noriel:

            i dont get this one

            you mean I'll create another rule to block all traffic?

            Exactly, and it should be placed below all of the allow rules (disabled or not).

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              From what I recall, isn't there a hidden Default Deny rule that sits at the bottom of the interface's ruleset?

              1 Reply Last reply Reply Quote 0
              • P
                P3R
                last edited by

                @KOM:

                From what I recall, isn't there a hidden Default Deny rule that sits at the bottom of the interface's ruleset?

                I think so to but there are advantages of adding a reject rule anyway (at least on internal interfaces):
                1. A reject rule makes workstations aware of that the traffic was blocked instead of the session only timing out.
                2. It is more intuitive.
                3. When you for troubleshooting reasons want to log the traffic that is blocked, you already have the rule present and only need to toggle the log option.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.