How to block an IP address

Myst · April 22, 2024, 10:35am

Hello sir is it possible to block an ip address from accessing the internet for example i want to block the ip of a client from the internet

but my configuration is in DHCP is it possible or how can i block a specific IP from my network via pfsense firewall

bb77 · April 22, 2024, 10:52am

You could create a block rule for the IP address of the client you want to block, and put it above the default “LAN to any” rule:

Action: Block
Protocol: Any
Source: Address or Alias | <IP-Address>

However, keep in mind that if the IP of the client changes, it can access the internet again.

Paul · April 22, 2024, 10:57am

As above, create a dhcp static reservation for the mac address of the device so that
the ip does not change.

https://docs.netgate.com/pfsense/en/latest/services/dhcp/index.html

bb77 · April 22, 2024, 11:11am

Yes, but you’d still have to consider that if the device in question belongs to a user you want to deny Internet access to, they could get around this by simply disabling DHCP on the client and changing the IP address manually, or by changing/spoofing the MAC address. To prevent this, the client would need to be moved to a separate network segment.

Paul · April 22, 2024, 11:12am

On PFSense, you can not block devices by mac address , just ip address

bb77 · April 22, 2024, 11:14am

Yep, but by spoofing/changing the MAC address, the DHCP server will most likely hand out a different IP address

Paul · April 22, 2024, 11:56am

Is this a desktop or laptop machine.

If desktop, create a vlan and configure the switch port for this vlan. Create fileware rules that does not allow internet access

Myst · April 22, 2024, 12:11pm

what if i turn it to Static and Enable the Captive Portal?

DrHeat · April 22, 2024, 8:42pm

One way is to block all IP addresses except those you specifically want to allow access on the Internet. Even if your target changes the MAC address the DHCP server will hand out an IP address with no Internet connectivity.

Unless they change it to the MAC address of a device that already has Internet access there’s no way to bypass this.

Myst · April 23, 2024, 7:59am

how to apply that sir do you have steps configuration for it?

DrHeat · April 23, 2024, 9:25am

I am much more familiar with OPNsense than pfSense, but I believe the steps are quite similar:

Go to Firewall - Aliases, create an alias of the type Hosts or IP Addresses. Add all the IP addresses you want to give Internet access to. Save the alias.
Go to Firewall - Rules and select the LAN interface. Create a new rule at the top with the action PASS, IPv4 + IPv6, protocol Any, source Single host or Alias and pick the alias you defined at step 1, destination Any. Save this rule.
Add another rule immediately below this one, action BLOCK, IPv4 + IPv6, protocol Any, source LAN net, destination Any. Save the rule.

Double check the ALLOW rule comes first, and immediately after is the BLOCK rule. Apply the ruleset.

Caveat: if you have other networks, such as DMZ, perhaps some VLAN networks, that everyone should have access to, make sure the allow rules for any of these come before the BLOCK rule you’ve created in step 3.

Myst · April 24, 2024, 10:20am

thank you sir so basically i need to do the static mapping first for the IP’s then create the aliases?

then next is the rule

DrHeat · April 24, 2024, 11:08am

Yes, that’s right. You got this!