Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help - PFsense is not blocking traffic to a specific IP

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luismoed
      last edited by

      Hi,

      I think I am likely doing something wrong, but i cannot find the root cause.
      I do have a few interfaces up and running, my main intention is to block users to access the PFsense webgui (and ssh).
      I followed the tutorial to block access to "this firewall" which effectively block access to the PFS.
      the problem is, people can still access it from another subnet.
      In my case:
      subnet 192.168.10.0/24 –> LAN interface --> 192.168.10.1 is the PFSense IP address on this interface
      subnet 192.168.20.0/24 --> WLAN interface --> 192.168.20.1 is the PFSense IP address on this interface
      subnet 192.168.30.0/24 --> BTTV interface --> 192.168.30.1 is the PFSense IP address on this interface

      I can effective manage all users from LAN (192.168.10.1) to have access PFS on the address 192.168.10.1 blocked (rejected), but all of them can access PFsense on 192.168.20.1 or X.X.30.1
      Likewise, I can block all users from X.X.20.0/24 from access X.X.20.1, but all of them can access, X.X.10.1 or X.X.30.1. and so on all other interfaces...
      Also, what is even more strange to me, I do have rules to block access the traffic between the networks, so some user on X.X.10.0/24, cannot access anyone on X.X.20.0/24 or X.X.30.0/24, EXCEPT for the PFS IP.
      I even tried to deliberately block THE IP address 192.168.30.1 on the source network (for example the WLAN - X.X.20.0/24), but the clients are still able to log on PFS (on the 192.168.30.1), even if the IP is namely blocked and on the very 1st line of the config.
      everything else is working as intend.

      I do have squid and squidguard installed, but i am not sure if they would influence this at all....

      any ideas/hints?

      thanks!

      P.S. in time, I just did a test, and tried to access my WAN IP address... guess what... I CAN CONNECT THERE (and have the PFsense login page prompted) when the traffic started on the network (PFsense is also the PPPoE to BT), but once I tried to connect from an outside network (thankfully) the traffic is blocked...

      1 Reply Last reply Reply Quote 0
      • M
        mer
        last edited by

        Screenshots of firewall rules for all defined interfaces (don't forget any floating rules) would help.
        If you are trying this with traffic already established, it may be passing because of state information.  Under Diagnostics->show states, there is a "reset states" that will clear existing states.  That may help.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Rules are evaluated from the top down on the interface the traffic would enter pfsense.

          If you want to block access to pfsense interfaces, then use the firewall alias in the dropdown.

          Example, my wlan guest can ping the interface to validate they are connected.  But other than that they can not talk to any IP at all on pfsense, be it wan, lan, whatever.  Then they can talk to any IP they want as long as its not an rfc1918 address.. ie they the internet.

          And yes a screenshot of your rules would be most helpful.

          wlanguestrules.png
          wlanguestrules.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • L
            luismoed
            last edited by

            Hi,

            thanks for the initial input.
            PLease have a look on the FW rules.
            to make clear: LAN = 192.168.10.0/24 , wireless - 192.168.20.0/24

            any ideas?

            thanks again!

            1 Reply Last reply Reply Quote 0
            • L
              luismoed
              last edited by

              Anyone? Any idea?
              HELP  :) !

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                John basically told you what to do.  Add a firewall rule at the top on each interface that blocks access to This Firewall.  Rules are processed top-down, first-match.  He has an allow rule on top to allow pinging.  Next is the block for pfSense and last is an allow for everything non-private.

                1 Reply Last reply Reply Quote 0
                • L
                  luismoed
                  last edited by

                  EDIT:
                  It is working NOW, but i had to open the port 53 (UDP) in order to have DNS working.

                  thank you all

                  –------------------------------------------------

                  OPS!!!!
                  I miss it. I haven't paid enough attention to the first sentence!
                  Rules are evaluated from the top down on the interface the traffic would enter pfsense.""

                  It is working now!

                  thank you all for the help!:)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.