Pfsense blocking WAN rule

Hello folks. Hope you can help? I am new to pfsense but finding Tom’s videos SUPER helpful.

I have a trivial pfsense configuration and am trying to very simply block internet access for one of my Lan devices.

So I have created a rule which sits at the top of the list of the Lan rules, which says simply:

Action: Block
Address: Family IPv4
Protocol: Any
Source: Single host or alias:
Destination: Wan net

But for some reason, the device can still access the internet. I tried this using a laptop with a specific IP address to test it, and confirmed that it does not work. Please can someone explain why this rule does not block internet access?

It concerns me a tiny bit because I have another subnet for my IOT devices for which I have rules blocking their access to my Lan, so just a bit concerned in case that isn’t working either.

Any thoughts?


EDIT: Just to let you know, if I change Destination to “Any”, then internet access is blocked. So I know the rule is applying to the correct device at least.

Best to post your rules for the interface

Thanks, but I really don’t think that’s necessary. There are only 4 rules, the anti-lockout rule (unedited) and the default allow Lan to any rules, again unedited. These are the standard rules that pfsense configures for you when you follow the startup wizzard, so i assume they are correct.

And as I say, I put my block rule at the top.

Also, I tried blocking “invert match” Lan net, and this does work. So I am a bit stumped as to why blocking Wan net, does not work.

There’s something in the documentation which I do not really understand about the Wan Net macro meaning the subnet on the Wan interface (and not the internet per se). But I have the internet on my Wan port, so I don’t understand why internet access would not be blocked.

OK, thanks but I figured it out. The Wan net subnet is clearly NOT the internet, merely the subnet of the Wan gateway. Doh!!!

Thanks anyway

1 Like