Hi, I have a pc on my lan with ip 192.168.1.6 and I would like to block its access to the internet on demand, Is that possible using a pfsense firewall rule that I can turn on and off? How can I do that? Thanks!
Create a firewall block rule on the subnet specifying the IP of the system you want to block above the allow rule.
Hi, yes, I tried that, but I don’t think I am doing it correctly as traffic is still being passed through. I setup a floating “block” rule and selected LAN under interface. Checked “Quick”, Direction Any, Protocol TCP/UDP, IPV4 as address family. Source is 192.168.1.6 which is the ip of the PC. Destination is Any.
Do these settings look correct? Ideally, I would like to block all traffic to and from this pc, but didn’t know if I should set the Source or Destination as 192.168.1.6. I tried both and neither seemed to work.
The rule order matters and it needs to be above the allow rule on that subnet
Hi Tom, very much appreciate your help. I’m quite new to this and if my understanding is correct, rules are processed top to bottom until the packet finds a match. At first, I tried setting up a LAN rule to block the traffic which didn’t work and so I wasn’t sure if my rule being below the anti-lock rule in the LAN tab was the reason. I was afraid to put something above the anti-lock rule since I didn’t want to be locked out. That’s why I started to experiment with the floating rule. I’ve watched several videos on this and have read the netgate manual and tried to understand as much as I can, but still have not been able to block traffic to and from this local computer on the LAN.
Should I stick with a LAN rule instead of floating and should this rule be above the anti-lockout rule? Would you be able to let me know what the settings on the rule page should be?
There are no other rules in my config besides the two OpenVPN rules which, with the aid of your awesome videos, I was able to implement successfully. The two OpenVPN rules are: floating - at the very bottom - block traffic if VPN is down and LAN - route VPN Group to VPN interface.
Hi again, upon further investigation, it appears the block rule is working. When it is enabled, I am not able to go to websites. However, local LAN access is still available (eg., I can rdp into this pc and I am able to access local LAN resources from this PC). Is there a way to also block local LAN access?
More interestingly, when this block is on (and I cannot access external websites such as cnn.com), my child is still able to play Fortnite and talk to his friends from this PC. Since his friends are not on the local network, it seems there is still a way for packets to leave and come in via the WAN port. Any thoughts on this? Is there a way to block all LAN and WAN traffic to and from this pc?
Local LAN traffic does not pass through the pfsenes which means pfsense can not help there.
Yes, that’s what I figured - thanks for confirming. Any idea on Fortnight still connecting externally even when the block rule is in effect?
Maybe try changing the protocol from TCP/UDP to ‘Any’ in case fortnite is using a different strange protocol.
Thanks for the suggestion. Just tried it and traffic is still getting through. I looked at the traffic graph under Status and under LAN, I’m seeing bandwidth in and out from that PC. Is that strange? I would think the settings would block everything…what else can I check and/or change?
Does the machine have more than 1 IP etc. i.e. you’ve blocked ethernet traffic but it’s still working over WiFi?
Hi! Thanks for the idea…I was so excited that wifi might be the issue, although unfortunately, it’s turned off and there’s no associated AP’s. Just can’t figure out how data is getting in and out! Any other suggestions would be greatly appreciated!
Only other thing I can think of is that the device is running off a different interface other than the one you’re applying the rules on. Or, the device isn’t going through that firewall at all and using another means of connectivity.
Thanks…I’m pretty sure there are no other interfaces that are active. While the block rule is active, I did a packet capture in pfsense and see packets passing to and from 192.168.1.6, the ip I am trying to block. I can see that it’s UDP traffic to various ports on that ip. What can I possibly be doing wrong?
To resolve this issue, create a new rule called “Block 192_1_6 or anything” and set this in the WAN and LAN if you required for the rules. Next, in the rule conditions, set the Protocol to All (“TCP/UDP”) and in the DESTINATION field enter (192.168.1.6). Then choose Block (“for no warning”) or Deny (“for a log warning”). This will block anyone from accessing this IP address from the gateway and/or LAN. I hope this helps. If this for some reason still does not work…create a Windows Defender or Windows Firewall rule on the actual computer that blocks Outbound or Inbound traffic per your conditions. Blocking ports 80 and 8080, 8081 to stop web traffic.
One way I’ve done it on windows directly is entering a fake proxy in Internet options.
Hi hgersitz, thanks for the suggestion. Just to make sure I am following your suggestion correctly, should I add the rule to the floating, WAN or LAN tab?
Hi ajrbservices, Proxy is turned off in Windows Network Settings. Is that what you mean?
I mean if you wanted to block Internet on the device itself, then you could enable the proxy and enter a fake address.
Thanks…my goal is to be able to turn internet access on and off on demand from my iPad. So, was going to enable / disable the firewall rule as needed.
Unfortunately, the rule doesn’t seem to block all traffic, at least for me. Although that seems very strange since pfsense is used by so many people and organizations. So I’m guessing something else is at play here. Any ideas on what tests of checks I can run? Like I said, the rule does block things like websites, but my kids are still able to chat with their friends on Fortnite…