Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simply deny access to internet for a client

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 4 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boppzoli
      last edited by

      Hi everybody!
      I'm using pfsense for about 6 months and I love it. I have a Dual Wan setup with static IPs on the WAN and OPT1 interface.
      I have a problem. I don't know how can I deny the access to the internet for an IP or for a MAC address. It is very important to me, periodicallyi to deny access to the internet to some IPs.
      How can I do this, in the simplest way? I tried captive portal but it not works with load balance setup …
      I think that sqid not works with dual wan (load balance) setup , too.
      I hava about 60 clients behind the pfsense box an really want to deny access to the internet in some cases for a spacific IP or IP range ...
      Please help me to solve this problem.  :'(
      Thank you very much in advance!

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        1: Create an alias with all the IP's you want blocked.

        2: Create on LAN (or on whichever interface your clients are) a block rule ABOVE your pass rule with as source your alias.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • B
          boppzoli
          last edited by

          Hi!
          It is fantastic!
          Thank you very much!  :-*    ;D
          pfSense is the best !!!  -  YEAH

          1 Reply Last reply Reply Quote 0
          • A
            angelcat
            last edited by

            i am newbie of pfsense too. version using now is pfsense 1.2release.
            i had block internet through LAN and it quite ok at the beginning. but in this few days i found ppl using internet whn the internet block was active.
            funny thing is i cant ping or tracert but it can go online to any website.
            wat can i do to solve this?

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              Make sure the client still has the same IP that it had when you added the block.

              Another option to block Clients at LAN is enabling the captive portal btw. You can whitelist clients that don't need authentication either by IP or macadress this way. All other clients will be caught by the captive portal page, so you could even temporarily log them in by entering a username and password if you need it for installing an upgrade for example.

              1 Reply Last reply Reply Quote 0
              • A
                angelcat
                last edited by

                i very sure the IP was correct…i cant ping any web, but i stil can access those web i ping, since i hv to find out whr thy go therefore i tracert the web like google, it cant get any signal but stil can go on search at google in web browser.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  Maybe you only have blocked protocol ICMP in your rule?

                  1 Reply Last reply Reply Quote 0
                  • A
                    angelcat
                    last edited by

                    in the rules i block all protocol, and only allow thm go to 2 lan IP, 1 is the lecturer pc and 1 is the file server

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      Could you show a screenshot of your rules?

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • A
                        angelcat
                        last edited by

                        here is the LAN rules

                        a.JPG
                        a.JPG_thumb

                        1 Reply Last reply Reply Quote 0
                        • H
                          hoba
                          last edited by

                          Can you please retest with the schedules for this rule disabled? Does it work then? Though I have to admit that I don't fully understand that rule atm  ;)

                          Also is that destination a single IP or a complete subnet? It has no subnetmask and the IP itself is a network IP, not a host IP.

                          1 Reply Last reply Reply Quote 0
                          • A
                            angelcat
                            last edited by

                            ok…i had try the 1st rules which is no scheduler involve ...but same result

                            1 Reply Last reply Reply Quote 0
                            • A
                              angelcat
                              last edited by

                              i was using same setting for 1.2 beta version without problem..after update to 1.2 release version n
                              restore config and it cant work til now.

                              1 Reply Last reply Reply Quote 0
                              • A
                                angelcat
                                last edited by

                                the last thing i test was disable the transparant proxy.n thn whn i connect to web it time out, actaually it quite close to wat i want….but it cant work wit the schedules

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.