Cannot block traffic for a specific IP address on the LAN to a specific…


  • Hi All,
    I seem to be having issues with my firewall rules.  I'm trying to do something rather simple but the rules are never working correctly.

    On my LAN I want to block the IP 192.168.1.254 from reaching the destination IP 192.168.2.32 which is on our other site going through OPENVPN.  If I create the following rules on either the LAN or OPENVPN, communications continue to work…

    LAN and OPENVPN rules
    BLOCK
    PROTOCOL: *
    SOURCE: 192.168.1.254
    PORT: *
    DESTINATION: 192.168.2.32
    PORT:*
    GATEWAY: *

    I also tried clearing the system states but that didn't work either.

    Any ideas?  Does this have something to do with the OPENVPN client specific overrides, perhaps that VPN tunnels take precedence over RULES or something with NAT translating the Source and Destination IP's?

    Any help would be appreciated?

  • Banned

    Try it with a BLOCK rule (right on top of the list) on the LAN interface of the REMOTE router (where the 192.168.2.x is at home…)


  • I just tried that but it doesn't work either.

    I did the following RULES on the other end…

    LAN and OPENVPN rules
    BLOCK
    PROTOCOL: *
    SOURCE: 192.168.1.254
    PORT: *
    DESTINATION: 192.168.2.32
    PORT:*
    GATEWAY: *

    and

    LAN and OPENVPN rules
    BLOCK
    PROTOCOL: *
    SOURCE: 192.168.2.32
    PORT: *
    DESTINATION: 192.168.1.254
    PORT:*
    GATEWAY: *


  • Are you clearing your states between tests?  Firewall rule changes will not affect existing states.


  • I tried clearing the states earlier and just now but it doesn't do anything different.  The OPENVPN tunnel goes down for a few seconds then my communications startup again.  Very strange stuff!


  • Firewall rules are applied on the interface that the traffic enters, so you would put them on the LAN interface.  Can you post a screenshot of your firewall rule?

  • LAYER 8 Netgate

    On my LAN I want to block the IP 192.168.1.254 from reaching the destination IP 192.168.2.32 which is on our other site going through OPENVPN.

    First, delete EVERYTHING you've done to try to accomplish this. EVERYWHERE.

    Then put this on the LAN interface that 192.168.1.254 is connected to:

    LAN
    BLOCK
    PROTOCOL: *
    SOURCE: 192.168.1.254
    PORT: *
    DESTINATION: 192.168.2.32
    PORT:*
    GATEWAY: *

    That will block NEW CONNECTIONS from 192.168.1.254 to 192.168.2.32

    If you want to block connections coming in from the OpenVPN put this on the OpenVPN Tab (Or the OpenVPN assigned interface tab).

    OpenVPN
    BLOCK
    PROTOCOL: *
    SOURCE: 192.168.2.32
    PORT: *
    DESTINATION: 192.168.1.254
    PORT:*
    GATEWAY: *

    That will block NEW CONNECTIONS from 192.168.2.32 to 192.168.1.254.

    Put both of these rules at the top of the respective rule lists.


  • Hey all,
    Thanks for the replies and sorry for the late response.

    I managed to get the rules to work by clearing the states, enabling the rules and clearing the states again.  It seems to be iffy and didn't always work when I disabled and re-enabled so I'm going to blame this on the old v2.0.1 which I will soon upgrade.

    Anyhow, I only needed the rule for a few minutes to test an alert from our monitoring system which specifically required me to leave the device online but only cut communication between the two specific device.  The test is done so no further need to investigate.

    Thank you all.