Permit only two specified IPs and block/deny the rest on LAN.
I need to permit only two ip addresses on LAN and deny / block the rest.
Is this possible and if yes how?
Simple rule on your lan to allow the 2 IPs you want outbound access to where you want them to go, then a block rule to block where you don't want anyone else to go.
Do you need a picture? Please post up your current lan rules.. What IPs do you want to allow and to what? Any or just http/https?
I need to allow only two IPs; 192.168.0.210 & 192.168.0.211 access to internet. I need to completely block / deny the rest access to the internet.
How do I implement this rule?
Well you could put those 2 IPs in an alias and then use the alias as your source. Or you could put them in 2 different rules.
So for example this would accomplish what you want. I put the rules on a dummy interface so not to blow up my own network. You would remove the default any any rule or edit it for one of these IPs and then add your block. See the attachment as example
Keep in mind there is antilockout rule on your lan that should allow you access to the pfsense webgui, etc.
If you post your current rules, and then your rules to allow and block the rest can validate everything looks ok. If your going to want other IPs to query pfsense for dns we would have to allow for that as well.
Rules are evaluated from top down, inbound into the interface - first rule that trigger wins.. So in this example if .210 was going to say 184.108.40.206 that first rule would match and traffic would be allowed. If say .212 was going to 220.127.116.11 first 2 rules would not fire and would be blocked.
Now keep in mind there is a default block rule and that last block rule I put in is not really needed. But it helps with understanding the process. It is there by default, just not shown - all traffic is blocked if not allowed on all interfaces. But this way its easy to see exactly what will happen with looking at the rules.
Thanks alot johnpoz, this is very helpful, now I'm going to apply this method and post results.
Thank you again.