9

I Have a network at home with a PFSense Software firewall. There are about 2 PCs and 3 laptops that connect to the internet through this firewall.

I would like to use the Firewall rules to block internet access for one of these devices on the network. The one that I want to block does have a static IP address assigned, and I also know its MAC address.

I just cant seem to be able to figure out how to create a rule that will effectively block internet access for that one device. But I still want that device to be able to access the network internally, such as network printers shared drives etc.

slm
  • 7,355
  • 16
  • 54
  • 72
7wp
  • 542
  • 2
  • 8
  • 18

8 Answers8

12

Add a LAN Firewall rule to block the IP of the guy by going to Firewall -> Rules -> LAN:

alt text

NOTE: Original source of image

And be sure your rule is before the default "allow everyone" rule; since rules are processed top down, in order, until it finds one that matches.

slm
  • 7,355
  • 16
  • 54
  • 72
Ian Boyd
  • 5,131
  • 14
  • 57
  • 79
3

I know this is an old question, but it still applies to pfSense 2.4

I recommend using aliases for applying rules to multiple hosts.

enter image description here

enter image description here

HarlemSquirrel
  • 131
  • 5
  • could you comment on where you're actually specifying the IoT to block? like your second screenshot in Srouce your wronte local_only_iot_device. I assume this is where you would put the IP? Is there a way to put the MAC instead of the IP? – gstlouis Aug 15 '20 at 13:04
  • In the first screen we create an alias and add one or more devices by IP address or fully qualified domain name. – HarlemSquirrel Aug 16 '20 at 14:29
  • To use MAC address, I think you would want to set up a static IP based on MAC and then use that IP here. – HarlemSquirrel Aug 16 '20 at 14:29
2

Not a pfsense person, but the actual PF rules you need are as follows.

block in on <internal interface> from <static ip> to any
pass in on <internal interface> from <static ip> to <internal network>
pass out on <internal interface> from <static ip> to <internal network>
Cian
  • 5,777
  • 1
  • 27
  • 40
1

Go to the Firewall->Rules Page and click on the LAN-Tab. Add a new rule at the top with the following settings:

Action: Block
Protocol: Any
Source: Single Host or Alias | <IP-Adress>

Please keep in mind, that this will block a single IP-Adress. So if the IP of the Host is changed, it can access the Internet again.

binco
  • 111
  • 3
  • Hi bico. I have tried this, but for some reason that host is still able to access the internet. I verified the IP did not change because it is assigned by Mac Address so it never changes. That is the reason I resorted to posting this question here. – 7wp Sep 15 '09 at 22:52
0

Concepts can be counter-intuitive at first because the traffic has to be queued in a place where the operating system can control the flow of packets. Incoming traffic from the Internet going to a host on the LAN (downloading) is shaped leaving the LAN interface from the firewall. In the same manner, traffic going from the LAN to the Internet (uploading) is shaped when leaving the WAN.

w8tr
  • 1
0

If anyone is still tracking this...just want to share my thoughts for @Parry:

A. For good practice you would include an ALLOW rule because your intent is to BLOCK access (so what is it allowed to do before you block (everything) you don't want it to do)

B. Block rule is required because of: 1. the default "LAN to Any" rule = everything LAN gets anywhere

 2. Blocking

'WAN Address' means blocking access to the Pfsense Wan interface IP only 'WAN Network' means the network your WAN interface is on from your ISP

which is NOT the same as internet !!!

Technically only 1 block rule should be necessary here to block it from internet.

action = block source = 192.168.1.7 Destination = !(RFC1918) creating alias or !(Lan_network) built-in

Devices communicating on the same subnet (LAN) wouldn't be filtered by the firewall.

Solomon
  • 1
  • “which is NOT the same as internet”. not always true, that depends. Some of us are not behind an ISP NAT, and are actually being assigned a public IP address. – 7wp Jun 19 '22 at 19:38
0

I tried a myriad of approaches none of which worked. But one did

(a)I first set up a rule that would allow (in this case 192.168.1.7) to connect to anywhere in my 192.168.1.0 /24 lan. So that means Firewall--> Rules--> Edit

  1. Action -->Pass
  2. Interface --> LAN Address
  3. Family -->(you choose)
  4. Protocol --> Any
  5. SOURCE Single Host ---> 192.168.1.7
  6. Destination ---> Network 192.168.1.0 /24

(b) Next I created a block rule below this one in the hierachy of Firewall-->Rules-->Edit

  1. Action --> Block
  2. Interface ---> LAN
  3. Address Family ---> (user choice)
  4. Protocol --> Any
  5. Source Single Host or Alias ---> 192.168.1.7
  6. Destination --> any

That worked

What is really confusing is the terminology. Perhaps someone can explain this

(a) If I have an IP address on my internal LAN then why wouldn't blocking it to access the WAN (which is outside my router and I would think would be considered the Internet) block that IP address from accessing the Internet

(b)So why does blocking that IP address from accessing the LAN (I suppose that any IP address behind the NAT is on the LAN and any IP in this network behind the LAN can reach out to the Internet unless it is blocked) prevent that IP from accessing the Internet. I suppose I just answered my own question because the next thing I did was allow that IP address to access the local network 192.168.1.0 /24 (in CIDR format)

I will say that the terms LAN, WAN Network etc need a little clarification for noobs using pfSense. What is the WAN, really ? Why can't I just block my lan ip address from accessing the WAN ? Why does that not work? I think anyone who can answer that question would help me and a lot of others, I would guess

Thanks, parry

parryj
  • 1
  • I suggest creating a new question for that. Asking a question, inside an answer to another question is not supported very well in Stack Overflow. Because we have no good place to answer you other than comments like the one i'm writing now. But comments are not meant for answering questions. – 7wp Dec 03 '19 at 03:21
0

Also you could just do,

Action -->Pass Interface --> LAN Address Family -->(you choose) Protocol --> Any SOURCE Single Host ---> 192.168.1.7 Destination (Invert) ---> WAN

tony
  • 1