0

If I have one device (192.168.12.5) on LAN interface that I want to prevent from accessing the internet and i put a rule (top rule #1) on LAN interface to: 

Block 
Protocol Ipv4*  
Source 192.168.12.5 Port *  
Destination ANY Port * Gateway *

The rule works and the machine cannot access the internet. But why does the following not work on the LAN interface? 

Block  
Protocol Ipv4*  
Source 192.168.12.5 Port *  
Destination WAN_net Port * Gateway *

Everywhere I have seen online shows the same technique for doing this (set destination to any). Why is this? I'm trying to block traffic from exiting the WAN from that IP. I would think that would mean my destination should be WAN net.

jtlindsey
  • 303
  • 1
  • 6
  • 15

2 Answers2

2

Block
Protocol Ipv4*
Source 192.168.12.5 Port *
Destination WAN_net Port * Gateway *

This rule will block all Ipv4 traffic from 192.168.12.5 to your ISP's WAN_net network segment, not the Internet.

The Internet is every ip address that's not: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

see: ietf-rfc1918

So, to block access to the Internet without using ANY destination, create an alias called something like PRIVATE_NETWORKS and use it in your rule like this:

Block
Protocol Ipv4*  
Source 192.168.12.5 Port *  
Destination !PRIVATE_NETWORKS Port * Gateway *

Now, any Ipv4 traffic from 192.168.12.5, not destined for you private lan, will be blocked.

Community
  • 1
Rick
  • 21
  • 2
0

In second case you block traffic from 192.168.12.5 to wan subnet ( all IP you have configured in wan port) but allow other any IPs.

Alessandro Secchi
  • 40
  • 1
  • 3