Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot block traffic for a specific IP address on the LAN to a specific…

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Slicster
      last edited by

      Hi All,
      I seem to be having issues with my firewall rules.  I'm trying to do something rather simple but the rules are never working correctly.

      On my LAN I want to block the IP 192.168.1.254 from reaching the destination IP 192.168.2.32 which is on our other site going through OPENVPN.  If I create the following rules on either the LAN or OPENVPN, communications continue to work…

      LAN and OPENVPN rules
      BLOCK
      PROTOCOL: *
      SOURCE: 192.168.1.254
      PORT: *
      DESTINATION: 192.168.2.32
      PORT:*
      GATEWAY: *

      I also tried clearing the system states but that didn't work either.

      Any ideas?  Does this have something to do with the OPENVPN client specific overrides, perhaps that VPN tunnels take precedence over RULES or something with NAT translating the Source and Destination IP's?

      Any help would be appreciated?

      1 Reply Last reply Reply Quote 0
      • 2
        2chemlud Banned
        last edited by

        Try it with a BLOCK rule (right on top of the list) on the LAN interface of the REMOTE router (where the 192.168.2.x is at home…)

        1 Reply Last reply Reply Quote 0
        • S
          Slicster
          last edited by

          I just tried that but it doesn't work either.

          I did the following RULES on the other end…

          LAN and OPENVPN rules
          BLOCK
          PROTOCOL: *
          SOURCE: 192.168.1.254
          PORT: *
          DESTINATION: 192.168.2.32
          PORT:*
          GATEWAY: *

          and

          LAN and OPENVPN rules
          BLOCK
          PROTOCOL: *
          SOURCE: 192.168.2.32
          PORT: *
          DESTINATION: 192.168.1.254
          PORT:*
          GATEWAY: *

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Are you clearing your states between tests?  Firewall rule changes will not affect existing states.

            1 Reply Last reply Reply Quote 0
            • S
              Slicster
              last edited by

              I tried clearing the states earlier and just now but it doesn't do anything different.  The OPENVPN tunnel goes down for a few seconds then my communications startup again.  Very strange stuff!

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Firewall rules are applied on the interface that the traffic enters, so you would put them on the LAN interface.  Can you post a screenshot of your firewall rule?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  On my LAN I want to block the IP 192.168.1.254 from reaching the destination IP 192.168.2.32 which is on our other site going through OPENVPN.

                  First, delete EVERYTHING you've done to try to accomplish this. EVERYWHERE.

                  Then put this on the LAN interface that 192.168.1.254 is connected to:

                  LAN
                  BLOCK
                  PROTOCOL: *
                  SOURCE: 192.168.1.254
                  PORT: *
                  DESTINATION: 192.168.2.32
                  PORT:*
                  GATEWAY: *

                  That will block NEW CONNECTIONS from 192.168.1.254 to 192.168.2.32

                  If you want to block connections coming in from the OpenVPN put this on the OpenVPN Tab (Or the OpenVPN assigned interface tab).

                  OpenVPN
                  BLOCK
                  PROTOCOL: *
                  SOURCE: 192.168.2.32
                  PORT: *
                  DESTINATION: 192.168.1.254
                  PORT:*
                  GATEWAY: *

                  That will block NEW CONNECTIONS from 192.168.2.32 to 192.168.1.254.

                  Put both of these rules at the top of the respective rule lists.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • S
                    Slicster
                    last edited by

                    Hey all,
                    Thanks for the replies and sorry for the late response.

                    I managed to get the rules to work by clearing the states, enabling the rules and clearing the states again.  It seems to be iffy and didn't always work when I disabled and re-enabled so I'm going to blame this on the old v2.0.1 which I will soon upgrade.

                    Anyhow, I only needed the rule for a few minutes to test an alert from our monitoring system which specifically required me to leave the device online but only cut communication between the two specific device.  The test is done so no further need to investigate.

                    Thank you all.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.