Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Permit only two specified IPs and block/deny the rest on LAN.

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 739 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cmutwiwa
      last edited by

      Hi guys,
      I need to permit only two ip addresses on LAN and deny / block the rest.
      Is this possible and if yes how?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Simple rule on your lan to allow the 2 IPs you want outbound access to where you want them to go, then a block rule to block where you don't want anyone else to go.

        Do you need a picture?  Please post up your current lan rules.. What IPs do you want to allow and to what?  Any or just http/https?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          cmutwiwa
          last edited by

          Thanks johnpoz,
          I need to allow only two IPs; 192.168.0.210 & 192.168.0.211 access to internet. I need to completely block / deny the rest access to the internet.
          How do I implement this rule?
          Kindly guide.

          Regards

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Well you could put those 2 IPs in an alias and then use the alias as your source.  Or you could put them in 2 different rules.

            So for example this would accomplish what you want.  I put the rules on a dummy interface so not to blow up my own network.  You would remove the default any any rule or edit it for one of these IPs and then add your block.  See the attachment as example

            Keep in mind there is antilockout rule on your lan that should allow you access to the pfsense webgui, etc.

            If you post your current rules, and then your rules to allow and block the rest can validate everything looks ok.  If your going to want other IPs to query pfsense for dns we would have to allow for that as well.

            Rules are evaluated from top down, inbound into the interface - first rule that trigger wins..  So in this example if .210 was going to say 8.8.8.8 that first rule would match and traffic would be allowed.  If say .212 was going to 8.8.8.8 first 2 rules would not fire and would be blocked.

            Now keep in mind there is a default block rule and that last block rule I put in is not really needed.  But it helps with understanding the process.  It is there by default, just not shown - all traffic is blocked if not allowed on all interfaces.  But this way its easy to see exactly what will happen with looking at the rules.

            allow2blockevery.png
            allow2blockevery.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • C
              cmutwiwa
              last edited by

              Thanks alot johnpoz, this is very helpful, now I'm going to apply this method and post results.

              Thank you again.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.