Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Block an LAN IP to WAN

    Firewalling
    3
    11
    1852
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      henriqueweis last edited by

      Hello there,

      I am trying to block some LAN IP's (reserved via MAC adress on DHCP server) to the internet (WAN1 and WAN2). but there still are some traffic.
            even though IPv6 is inactive on pfsense dchp server, devices are still geting ipv6. for test sake i disabled  ipv6 on the windows client machine but it still pinging WAN.

      thats what i did in pfsense:
      created a LAN rule on the top of the list:
      Block
      LAN
      IPv4
      TCP/UDP
      single host or alias = 192.168.0.30
      destination any
      port range any any

      how can i completely disable ipv6 on LAN and completely block LAN ips to acess the internet?

      1 Reply Last reply Reply Quote 0
      • M
        mer last edited by

        It sounds like you are saying that there is IPV6 traffic from LAN hitting WAN, is that correct?

        If so, did you try adding a Block any IPV6 from any to any?

        1 Reply Last reply Reply Quote 0
        • KOM
          KOM last edited by

          Post a screenshot of your LAN firewall rules so we can see what you actually did.

          1 Reply Last reply Reply Quote 0
          • H
            henriqueweis last edited by

            @mer:

            It sounds like you are saying that there is IPV6 traffic from LAN hitting WAN, is that correct?

            If so, did you try adding a Block any IPV6 from any to any?

            i don't know if the traffic was getting out from ipv6, i only know that it was serving ipv6 even being disabled and there were traffic even ipv4 blocked.
            but it should not be it, cause i disabled ipv6 on the windows client machine that i was testing.

            i tried what you said anyway, follow the screenshots…



            ![1 rule.png](/public/imported_attachments/1/1 rule.png)
            ![1 rule.png_thumb](/public/imported_attachments/1/1 rule.png_thumb)
            ![2 rule.png](/public/imported_attachments/1/2 rule.png)
            ![2 rule.png_thumb](/public/imported_attachments/1/2 rule.png_thumb)

            1 Reply Last reply Reply Quote 0
            • M
              mer last edited by

              Your rules are only blocking TCP and UDP traffic.  Both IPV4 and IPV6 have other types of traffic (ICMP is a big one).  On the Protocol dropdown there should be an "any" option.

              You can also grab a packet capture and see what the traffic is;  that will help you write targeted rules.

              1 Reply Last reply Reply Quote 0
              • H
                henriqueweis last edited by

                @KOM:

                Post a screenshot of your LAN firewall rules so we can see what you actually did.

                i posted the LAN rules in another reply. now follows my 2 LAN FAIL OVER rules:

                ![rules wan.png](/public/imported_attachments/1/rules wan.png)
                ![rules wan.png_thumb](/public/imported_attachments/1/rules wan.png_thumb)
                ![fail 1.png](/public/imported_attachments/1/fail 1.png)
                ![fail 1.png_thumb](/public/imported_attachments/1/fail 1.png_thumb)
                ![fail 2.png](/public/imported_attachments/1/fail 2.png)
                ![fail 2.png_thumb](/public/imported_attachments/1/fail 2.png_thumb)

                1 Reply Last reply Reply Quote 0
                • H
                  henriqueweis last edited by

                  @mer:

                  Your rules are only blocking TCP and UDP traffic.  Both IPV4 and IPV6 have other types of traffic (ICMP is a big one).  On the Protocol dropdown there should be an "any" option.

                  You can also grab a packet capture and see what the traffic is;  that will help you write targeted rules.

                  hummmm…. i thought ipv4 solved it all... ok thank you very much.
                  but wouldn't it blocking ANY protocol on the rule LAN end up blocking LAN to LAN ?
                  i only want to block going out to internet

                  1 Reply Last reply Reply Quote 0
                  • M
                    mer last edited by

                    If you want to allow IPV4 LAN to LAN, then there will need to be some tweaking there.  Basically you want a rule along the lines of:

                    block from <allowed ip="">to ! LAN_alias

                    that semantic implies "pass everything from that IP to only other LAN networks"

                    If you don't want IPV6 going anywhere, that's what a "block any IPV6 traffic from any to any" should do.</allowed>

                    1 Reply Last reply Reply Quote 0
                    • KOM
                      KOM last edited by

                      but wouldn't it blocking ANY protocol on the rule LAN end up blocking LAN to LAN ?

                      Inter-LAN traffic doesn't even hit the router.

                      1 Reply Last reply Reply Quote 0
                      • H
                        henriqueweis last edited by

                        @mer:

                        If you want to allow IPV4 LAN to LAN, then there will need to be some tweaking there.  Basically you want a rule along the lines of:

                        block from <allowed ip="">to ! LAN_alias

                        that semantic implies "pass everything from that IP to only other LAN networks"

                        If you don't want IPV6 going anywhere, that's what a "block any IPV6 traffic from any to any" should do.</allowed>

                        sorry, i didn't understand.
                        do i keep this rule i just did: block / ipv4  / any to any

                        and create another one below it?

                        1 Reply Last reply Reply Quote 0
                        • H
                          henriqueweis last edited by

                          @KOM:

                          but wouldn't it blocking ANY protocol on the rule LAN end up blocking LAN to LAN ?

                          Inter-LAN traffic doesn't even hit the router.

                          ok. thank you!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post