Blocking Internet Access for a Device



  • Hello

    I have a machine in my network, it does have static IP, static MAC. So either can work.
    I need to block ALL type of internet access for this device, device shouldn't access internet, anything from internet shouldn't be able to access this device.

    But all other devices in my network should see this machine and this machine should see everyone else in my own network

    I tried to do this using firewall rules like TCP/IP and ALL ports from This IP to WAN denied, from WAN to this device denied, etc.
    But none worked.

    What should I do? Is it even possible? If yes, how? Please advise.
    Thanks



  • of course it is possible if you have static IP for that device.

    I assume you have only one LAN, if not you need to change the rule to allow access to other LAN's use an alias … or add in front of this rule one pass rule for that device to others LAN's.

    Just add a rule to that LAN that will cut all traffic from that IP when will exit LAN ( traffic inside that LAN will not go to firewall ):

    Action - block
    Interface - LAN name
    TCP/IP Version - IPv4/6
    Protocol - any
    Source - single hot or alias - enter device IP
    Destination - any

    save and clear firewall states, done.

    To cut traffic from internet you can make another rule to WAN with destination to that IP... in case you have open ports.



  • Thank you! But I tried that already, it just doesn't work.

    I have WAN, LAN, OPT1, OPT2. I have pfSense SG-2440.

    The device I'm talking about is in OPT1 range. I want device in OPT1 to be able to see everything in LAN, OPT2 and LAN and OPT2 see the device inside OPT1. But the device in OPT1 192.168.4.22, shouldn't see internet.

    I can't get this done!


  • LAYER 8 Netgate

    So we can get a better idea what you're doing, what are the rules on OPT1?

    There are a couple different ways to do this. Which way is better depends.



  • Assuming you don't have some special rules in your LANS's then add this rules at top of OTP1 rules.

    1 - will alow traffic from 192.168.4.22 to LAN
    Action - allow
    Interface - OPT1
    TCP/IP Version - IPv4/6
    Protocol - any
    Source - single hot or alias - enter device IP 192.168.4.22
    Destination - LAN

    2 - will alow traffic from 192.168.4.22 to OPT2
    Action - allow
    Interface - OPT1
    TCP/IP Version - IPv4/6
    Protocol - any
    Source - single hot or alias - enter device IP 192.168.4.22
    Destination - OPT2

    3 - will block traffic from 192.168.4.22 to any destination
    Action - block
    Interface - OPT1
    TCP/IP Version - IPv4/6
    Protocol - any
    Source - single hot or alias - enter device IP 192.168.4.22
    Destination - any

    save and clear firewall states, done.

    p.s.
    you can change rule 1 and 2 in only one rule if you will use an alias with networks LAN and OPT2 as destination.



  • Thank you very much!
    It did the job!


Log in to reply