How to block an IP address

Hello sir is it possible to block an ip address from accessing the internet for example i want to block the ip of a client from the internet

but my configuration is in DHCP is it possible or how can i block a specific IP from my network via pfsense firewall

You could create a block rule for the IP address of the client you want to block, and put it above the default “LAN to any” rule:

Action: Block
Protocol: Any
Source: Address or Alias | <IP-Address>

However, keep in mind that if the IP of the client changes, it can access the internet again.

As above, create a dhcp static reservation for the mac address of the device so that
the ip does not change.

1 Like

Yes, but you’d still have to consider that if the device in question belongs to a user you want to deny Internet access to, they could get around this by simply disabling DHCP on the client and changing the IP address manually, or by changing/spoofing the MAC address. To prevent this, the client would need to be moved to a separate network segment.

On PFSense, you can not block devices by mac address , just ip address

Yep, but by spoofing/changing the MAC address, the DHCP server will most likely hand out a different IP address :wink:

Is this a desktop or laptop machine.

If desktop, create a vlan and configure the switch port for this vlan. Create fileware rules that does not allow internet access

what if i turn it to Static and Enable the Captive Portal?

One way is to block all IP addresses except those you specifically want to allow access on the Internet. Even if your target changes the MAC address the DHCP server will hand out an IP address with no Internet connectivity.

Unless they change it to the MAC address of a device that already has Internet access there’s no way to bypass this.

1 Like

how to apply that sir do you have steps configuration for it?

I am much more familiar with OPNsense than pfSense, but I believe the steps are quite similar:

  1. Go to Firewall - Aliases, create an alias of the type Hosts or IP Addresses. Add all the IP addresses you want to give Internet access to. Save the alias.
  2. Go to Firewall - Rules and select the LAN interface. Create a new rule at the top with the action PASS, IPv4 + IPv6, protocol Any, source Single host or Alias and pick the alias you defined at step 1, destination Any. Save this rule.
  3. Add another rule immediately below this one, action BLOCK, IPv4 + IPv6, protocol Any, source LAN net, destination Any. Save the rule.

Double check the ALLOW rule comes first, and immediately after is the BLOCK rule. Apply the ruleset.

Caveat: if you have other networks, such as DMZ, perhaps some VLAN networks, that everyone should have access to, make sure the allow rules for any of these come before the BLOCK rule you’ve created in step 3.

thank you sir so basically i need to do the static mapping first for the IP’s then create the aliases?

then next is the rule

Yes, that’s right. You got this!