pfsense: how to block internet for one client

Question

I Have a network at home with a PFSense Software firewall. There are about 2 PCs and 3 laptops that connect to the internet through this firewall.

I would like to use the Firewall rules to block internet access for one of these devices on the network. The one that I want to block does have a static IP address assigned, and I also know its MAC address.

I just cant seem to be able to figure out how to create a rule that will effectively block internet access for that one device. But I still want that device to be able to access the network internally, such as network printers shared drives etc.

score 14 · Accepted Answer · edited May 06 '18 at 01:19

14

Add a LAN Firewall rule to block the IP of the guy by going to Firewall -> Rules -> LAN:

NOTE: Original source of image

And be sure your rule is before the default "allow everyone" rule; since rules are processed top down, in order, until it finds one that matches.

edited May 06 '18 at 01:19

slm

8,010

answered Mar 07 '10 at 12:24

Ian Boyd

5,453

score 3 · Answer 2 · answered Jul 24 '19 at 01:04

3

I know this is an old question, but it still applies to pfSense 2.4

I recommend using aliases for applying rules to multiple hosts.

answered Jul 24 '19 at 01:04

HarlemSquirrel

131

score 2 · Answer 3 · answered Sep 15 '09 at 08:21

Not a pfsense person, but the actual PF rules you need are as follows.

block in on <internal interface> from <static ip> to any
pass in on <internal interface> from <static ip> to <internal network>
pass out on <internal interface> from <static ip> to <internal network>

score 1 · Answer 4 · answered Sep 15 '09 at 09:15

Go to the Firewall->Rules Page and click on the LAN-Tab. Add a new rule at the top with the following settings:

Action: Block
Protocol: Any
Source: Single Host or Alias | <IP-Adress>

Please keep in mind, that this will block a single IP-Adress. So if the IP of the Host is changed, it can access the Internet again.

score 0 · Answer 5 · answered Nov 12 '20 at 05:37

Concepts can be counter-intuitive at first because the traffic has to be queued in a place where the operating system can control the flow of packets. Incoming traffic from the Internet going to a host on the LAN (downloading) is shaped leaving the LAN interface from the firewall. In the same manner, traffic going from the LAN to the Internet (uploading) is shaped when leaving the WAN.

score 0 · Answer 6 · answered Jun 17 '22 at 16:38

If anyone is still tracking this...just want to share my thoughts for @Parry:

A. For good practice you would include an ALLOW rule because your intent is to BLOCK access (so what is it allowed to do before you block (everything) you don't want it to do)

B. Block rule is required because of: 1. the default "LAN to Any" rule = everything LAN gets anywhere

 2. Blocking

'WAN Address' means blocking access to the Pfsense Wan interface IP only 'WAN Network' means the network your WAN interface is on from your ISP

which is NOT the same as internet !!!

Technically only 1 block rule should be necessary here to block it from internet.

action = block source = 192.168.1.7 Destination = !(RFC1918) creating alias or !(Lan_network) built-in

Devices communicating on the same subnet (LAN) wouldn't be filtered by the firewall.

score 0 · Answer 7 · answered Oct 13 '19 at 22:36

I tried a myriad of approaches none of which worked. But one did

(a)I first set up a rule that would allow (in this case 192.168.1.7) to connect to anywhere in my 192.168.1.0 /24 lan. So that means Firewall--> Rules--> Edit

Action -->Pass
Interface --> LAN Address
Family -->(you choose)
Protocol --> Any
SOURCE Single Host ---> 192.168.1.7
Destination ---> Network 192.168.1.0 /24

(b) Next I created a block rule below this one in the hierachy of Firewall-->Rules-->Edit

Action --> Block
Interface ---> LAN
Address Family ---> (user choice)
Protocol --> Any
Source Single Host or Alias ---> 192.168.1.7
Destination --> any

That worked

What is really confusing is the terminology. Perhaps someone can explain this

(a) If I have an IP address on my internal LAN then why wouldn't blocking it to access the WAN (which is outside my router and I would think would be considered the Internet) block that IP address from accessing the Internet

(b)So why does blocking that IP address from accessing the LAN (I suppose that any IP address behind the NAT is on the LAN and any IP in this network behind the LAN can reach out to the Internet unless it is blocked) prevent that IP from accessing the Internet. I suppose I just answered my own question because the next thing I did was allow that IP address to access the local network 192.168.1.0 /24 (in CIDR format)

I will say that the terms LAN, WAN Network etc need a little clarification for noobs using pfSense. What is the WAN, really ? Why can't I just block my lan ip address from accessing the WAN ? Why does that not work? I think anyone who can answer that question would help me and a lot of others, I would guess

Thanks, parry

score 0 · Answer 8 · answered Jan 18 '20 at 03:45

0

Also you could just do,

Action -->Pass Interface --> LAN Address Family -->(you choose) Protocol --> Any SOURCE Single Host ---> 192.168.1.7 Destination (Invert) ---> WAN

answered Jan 18 '20 at 03:45

tony

1

pfsense: how to block internet for one client

8 Answers8