Simply deny access to internet for a client



  • Hi everybody!
    I'm using pfsense for about 6 months and I love it. I have a Dual Wan setup with static IPs on the WAN and OPT1 interface.
    I have a problem. I don't know how can I deny the access to the internet for an IP or for a MAC address. It is very important to me, periodicallyi to deny access to the internet to some IPs.
    How can I do this, in the simplest way? I tried captive portal but it not works with load balance setup …
    I think that sqid not works with dual wan (load balance) setup , too.
    I hava about 60 clients behind the pfsense box an really want to deny access to the internet in some cases for a spacific IP or IP range ...
    Please help me to solve this problem.  :'(
    Thank you very much in advance!



  • 1: Create an alias with all the IP's you want blocked.

    2: Create on LAN (or on whichever interface your clients are) a block rule ABOVE your pass rule with as source your alias.



  • Hi!
    It is fantastic!
    Thank you very much!  :-*    ;D
    pfSense is the best !!!  -  YEAH



  • i am newbie of pfsense too. version using now is pfsense 1.2release.
    i had block internet through LAN and it quite ok at the beginning. but in this few days i found ppl using internet whn the internet block was active.
    funny thing is i cant ping or tracert but it can go online to any website.
    wat can i do to solve this?



  • Make sure the client still has the same IP that it had when you added the block.

    Another option to block Clients at LAN is enabling the captive portal btw. You can whitelist clients that don't need authentication either by IP or macadress this way. All other clients will be caught by the captive portal page, so you could even temporarily log them in by entering a username and password if you need it for installing an upgrade for example.



  • i very sure the IP was correct…i cant ping any web, but i stil can access those web i ping, since i hv to find out whr thy go therefore i tracert the web like google, it cant get any signal but stil can go on search at google in web browser.



  • Maybe you only have blocked protocol ICMP in your rule?



  • in the rules i block all protocol, and only allow thm go to 2 lan IP, 1 is the lecturer pc and 1 is the file server



  • Could you show a screenshot of your rules?



  • here is the LAN rules




  • Can you please retest with the schedules for this rule disabled? Does it work then? Though I have to admit that I don't fully understand that rule atm  ;)

    Also is that destination a single IP or a complete subnet? It has no subnetmask and the IP itself is a network IP, not a host IP.



  • ok…i had try the 1st rules which is no scheduler involve ...but same result



  • i was using same setting for 1.2 beta version without problem..after update to 1.2 release version n
    restore config and it cant work til now.



  • the last thing i test was disable the transparant proxy.n thn whn i connect to web it time out, actaually it quite close to wat i want….but it cant work wit the schedules


Locked