The pfSense Store

Author Topic: Block access to WAN, for a single client [SOLVED]  (Read 238 times)

0 Members and 1 Guest are viewing this topic.

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Block access to WAN, for a single client [SOLVED]
« on: November 05, 2017, 07:10:24 pm »
I have a simple setup WAN/LAN1/LAN2.  All LAN1/2 clients have access to WAN and can access the internet.
However, I wanted to block access to the Internet for one of the clients form LAN1, 192.168.0.3, but was not able to do so.

I have no floating rules or other special routing setup. The only rules I have is:

WAN:
  • BLOCK *   RFC 1918 networks      *   *   *   *   *      Block private networks   
  • BLOCK *   Reserved Not assigned by IANA   *   *   *   *   *      Block bogon networks

LAN1:
  • PASS *   *   *   LAN1 Address   443 80 61000   *   *      Anti-Lockout Rule   
  • BLOCK IPv4 *   192.168.0.3   *   WAN net   *   *   none             
  • PASS IPv4 *   LAN1 net   *   *   *   *   none   


I can block 192.168.0.3 by adding a floating rule but I was hoping I can just add a normal rule to the interface.


Can anybody shed some light on what I may be missing?

« Last Edit: November 06, 2017, 03:53:16 pm by lavito »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9099
  • Karma: +1037/-307
    • View Profile
Re: Block access for a single client to WAN
« Reply #1 on: November 05, 2017, 07:44:39 pm »
Destination WAN net is not the internet. Destination any is the internet.

And you can't block source 192.168.0.3 using a floating rule because NAT has already occurred so the source at that point would be WAN address.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Block access for a single client to WAN
« Reply #2 on: November 06, 2017, 01:38:34 pm »

Destination WAN net is not the internet. Destination any is the internet.

And you can't block source 192.168.0.3 using a floating rule because NAT has already occurred so the source at that point would be WAN address.



Thank you for clarifying what the "WAN net" alias is not, however can you explain why when adding a rule to the WAN interface:

BLOCK
Protocol/Port: Any
Source: 192.168.0.3 and
Destination: "Any"

still does not block "192.168.0.3" from accessing the internet via WAN?


« Last Edit: November 06, 2017, 02:27:52 pm by lavito »

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Block access for a single client to WAN
« Reply #3 on: November 06, 2017, 02:04:34 pm »
Rules are applied to traffic that enters an interface.  If you want to fiddle with your LAN clients, you need to put your rule on the LAN interface.  Also, if you add a rule that blocks particular traffic, you will need to reset any existing states of that traffic.


Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Block access for a single client to WAN
« Reply #4 on: November 06, 2017, 02:20:48 pm »
OK, I  added a BLOCK rule !192.168.0.0/16 to LAN and it works, thank you for that!

However I was wondering why it does not work when you put the below rule in WAN?
Strictly speaking, traffic "enters" the WAN interface from LAN1, so I don't  understand why below WAN rule does't work:

BLOCK
Protocol/Port: Any
Source: 192.168.0.3 and
Destination: "Any"

Also, if you add a rule that blocks particular traffic, you will need to reset any existing states of that traffic.

Yes, I was aware of this.
« Last Edit: November 06, 2017, 02:27:13 pm by lavito »

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Block access for a single client to WAN
« Reply #5 on: November 06, 2017, 02:57:00 pm »
But the traffic from LAN never enters WAN, it leaves it.  You have to imagine pfSense as a central object with the interfaces at the edge.  Traffic enters an interface from the network it came from IN to pfSense.  pfSense then decides what to do with the traffic and sends it OUT a different interface.

Downloading a file from the Internet involves traffic going IN to WAN and OUT to LAN.
Uploading a file involves traffic going IN to LAN and OUT to WAN.

This is a simplification of course, as there is communication back and forth in any TCP connection.

Below is an image which may help explain how it works.


Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Block access for a single client to WAN
« Reply #6 on: November 06, 2017, 03:40:26 pm »
Thank you very much for that !!! This was the detail I was missing.   8)

In my mind traffic, in case of e.g. HTTP get,  was taking the route below:

[IN -> (LAN interface) ->  OUT] ----router------>   [IN -> (WAN interface) ->  OUT]

So I thought, when the rule is evaluated, as far as the traffic is concerned, the traffic from LAN arrives to WAN and therefore enters traffic into the WAN interface (the red IN)

Now I can see why it does not work. Essentially I now visualise it as below:


[IN -> (LAN interface) ] ----router------>   [(WAN interface) ->  OUT]


Thanks again!

« Last Edit: November 06, 2017, 03:49:58 pm by lavito »