Allow/Block Internet Access to selected IPs



  • We have 5 computer laboratory with 30-40 PC each

    I created an Allias with IPs of PCs on each lab

    Allias1 has the IPs of computers on Lab1

    Allias2 has the IPs of computers on Lab2

    Allias3 has the IPs of computers on Lab3

    Allias4 has the IPs of computers on Lab4

    Allias5 has the IPs of computers on Lab5

    Now I want to block or allow Internet access on selected Labs… How can I do that?

    for example:

    I just want Lab1 to have access to the internet for now... other Labs shouldnt have access to Internet...

    and I can change anytime which Lab should have internet access..

    HOW? Thanks



  • Go to Firewall, Rules in the web admin interface and select the internal interface to which the labs are connected. Maybe it's the LAN interface?

    Then add allow rules (Action: Pass) where each of the aliases are used as source address. On the the labs that currently shouldn't have internet access you you tick the Disable this rule box.

    At the bottom of the same page you add a reject rule for all traffic on the network.

    Later when you want to change which labs that should have or not have internet access you only need to edit the rule in question and toggle the Disable this rule box.



  • @P3R:

    At the bottom of the same page you add a reject rule for all traffic on the network.

    i dont get this one

    you mean I'll create another rule to block all traffic?

    thanks



  • @noriel:

    i dont get this one

    you mean I'll create another rule to block all traffic?

    Exactly, and it should be placed below all of the allow rules (disabled or not).



  • From what I recall, isn't there a hidden Default Deny rule that sits at the bottom of the interface's ruleset?



  • @KOM:

    From what I recall, isn't there a hidden Default Deny rule that sits at the bottom of the interface's ruleset?

    I think so to but there are advantages of adding a reject rule anyway (at least on internal interfaces):
    1. A reject rule makes workstations aware of that the traffic was blocked instead of the session only timing out.
    2. It is more intuitive.
    3. When you for troubleshooting reasons want to log the traffic that is blocked, you already have the rule present and only need to toggle the log option.