Block an LAN IP to WAN



  • Hello there,

    I am trying to block some LAN IP's (reserved via MAC adress on DHCP server) to the internet (WAN1 and WAN2). but there still are some traffic.
          even though IPv6 is inactive on pfsense dchp server, devices are still geting ipv6. for test sake i disabled  ipv6 on the windows client machine but it still pinging WAN.

    thats what i did in pfsense:
    created a LAN rule on the top of the list:
    Block
    LAN
    IPv4
    TCP/UDP
    single host or alias = 192.168.0.30
    destination any
    port range any any

    how can i completely disable ipv6 on LAN and completely block LAN ips to acess the internet?



  • It sounds like you are saying that there is IPV6 traffic from LAN hitting WAN, is that correct?

    If so, did you try adding a Block any IPV6 from any to any?



  • Post a screenshot of your LAN firewall rules so we can see what you actually did.



  • @mer:

    It sounds like you are saying that there is IPV6 traffic from LAN hitting WAN, is that correct?

    If so, did you try adding a Block any IPV6 from any to any?

    i don't know if the traffic was getting out from ipv6, i only know that it was serving ipv6 even being disabled and there were traffic even ipv4 blocked.
    but it should not be it, cause i disabled ipv6 on the windows client machine that i was testing.

    i tried what you said anyway, follow the screenshots…



    ![1 rule.png](/public/imported_attachments/1/1 rule.png)
    ![1 rule.png_thumb](/public/imported_attachments/1/1 rule.png_thumb)
    ![2 rule.png](/public/imported_attachments/1/2 rule.png)
    ![2 rule.png_thumb](/public/imported_attachments/1/2 rule.png_thumb)



  • Your rules are only blocking TCP and UDP traffic.  Both IPV4 and IPV6 have other types of traffic (ICMP is a big one).  On the Protocol dropdown there should be an "any" option.

    You can also grab a packet capture and see what the traffic is;  that will help you write targeted rules.



  • @KOM:

    Post a screenshot of your LAN firewall rules so we can see what you actually did.

    i posted the LAN rules in another reply. now follows my 2 LAN FAIL OVER rules:

    ![rules wan.png](/public/imported_attachments/1/rules wan.png)
    ![rules wan.png_thumb](/public/imported_attachments/1/rules wan.png_thumb)
    ![fail 1.png](/public/imported_attachments/1/fail 1.png)
    ![fail 1.png_thumb](/public/imported_attachments/1/fail 1.png_thumb)
    ![fail 2.png](/public/imported_attachments/1/fail 2.png)
    ![fail 2.png_thumb](/public/imported_attachments/1/fail 2.png_thumb)



  • @mer:

    Your rules are only blocking TCP and UDP traffic.  Both IPV4 and IPV6 have other types of traffic (ICMP is a big one).  On the Protocol dropdown there should be an "any" option.

    You can also grab a packet capture and see what the traffic is;  that will help you write targeted rules.

    hummmm…. i thought ipv4 solved it all... ok thank you very much.
    but wouldn't it blocking ANY protocol on the rule LAN end up blocking LAN to LAN ?
    i only want to block going out to internet



  • If you want to allow IPV4 LAN to LAN, then there will need to be some tweaking there.  Basically you want a rule along the lines of:

    block from <allowed ip="">to ! LAN_alias

    that semantic implies "pass everything from that IP to only other LAN networks"

    If you don't want IPV6 going anywhere, that's what a "block any IPV6 traffic from any to any" should do.</allowed>



  • but wouldn't it blocking ANY protocol on the rule LAN end up blocking LAN to LAN ?

    Inter-LAN traffic doesn't even hit the router.



  • @mer:

    If you want to allow IPV4 LAN to LAN, then there will need to be some tweaking there.  Basically you want a rule along the lines of:

    block from <allowed ip="">to ! LAN_alias

    that semantic implies "pass everything from that IP to only other LAN networks"

    If you don't want IPV6 going anywhere, that's what a "block any IPV6 traffic from any to any" should do.</allowed>

    sorry, i didn't understand.
    do i keep this rule i just did: block / ipv4  / any to any

    and create another one below it?



  • @KOM:

    but wouldn't it blocking ANY protocol on the rule LAN end up blocking LAN to LAN ?

    Inter-LAN traffic doesn't even hit the router.

    ok. thank you!


Log in to reply