Hi
I got a camera that i like to block accessing the Internet, how do I do that? I really dont want to mess things up, thats why i ask :-)
Thanks
Variant 1: Give it a static DHCP lease and block access from that IP address.
Variant 2: put it into a network where no device has internet access
Maybe this can help:
https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet (https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet)
Quote from: lar.hed on August 01, 2020, 12:55:37 PM
Maybe this can help:
https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet (https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet)
It has a static IP adress, but how do I set a rule, or other way to block that one IP adress to access Internet? Its a camera and the block should only be to the internet, not LAN. If I try to type in the specifik IP address 192.168.1.4 there is a dropdown box out at the right...?? Sorry, I´m a noob in FW rules
Firewall -> Rules -> WAN interface, create a new rule that only has the static IP in source, outgoing and block?
Okay, so I decided to test this my self: I tried to block my mobile wifi from connecting to Internet - failure. No matter how I did (floating, alias, direct IP, source, destination, out or in) made any difference.
I'm with JoK on this: How am I supposed to block one static IP from accessing internet?
And another google search found the answer on this forum:
https://forum.opnsense.org/index.php?topic=17664.0 (https://forum.opnsense.org/index.php?topic=17664.0)
I should not put this rule in WAN, but in LAN (or in my case ALL_LAN which is a group of interfaces), direction IN, Source is the IP I like to block (or in my case I made an Alias list of hosts, as in the thread mentioned above). Done.
Thanks for your reply, any words on what the dropdown box is for right besides the box where the IP adress is typed in??
This one
24
I tried to make the rule as suggested and turned on logging, the rule seems to block IP adress 192.168.1.102...and not 192.168.1.4....
I give up ...🙁
Quote from: JoK on August 03, 2020, 04:12:33 PM
Quote from: lar.hed on August 02, 2020, 05:35:34 PM
24
Thanks, but what is it?
It is the netmask for the IP adress, look here for example:
http://www.sput.nl/internet/netmask-table.html (http://www.sput.nl/internet/netmask-table.html)
Don't give up - we are here, it just not real time all the time ;-)
This is how I have done this: I created an Alias to collect all IPs I like to stop from accessing internet inside one place - this way I only alter the Alias and never any rules.
I then have a firewall rule on the interface (which in my case happens to be a firewall group of more than one interface).
I included the rule itself on the third attachment, so you might follow a bit easier.
(and then I wonder how I include the attachment in this text but that is another story I guess...)
Oh, so you made an Alias or "group" that can contains all the IP's you want to block, yea thas sounds easier than just make a rule for each IP, and you can add more IP's along the way..right?
Whats the "Source/invert"
The "destination, you have marked as "All_LAN" is that, in my case, just LAN...I only have one? :-) ...I would had guessed this should have been Internet
Well....I tried to put my ipad's IP address in the Alias to test this, and its still online, what the fudge am i doing wrong
I did it EXACLY like on your pictures, except i choose "LAN net" in stead of your "ALL_LAN"
ALL_LAN = my "LAN" interface, and 3 more interfaces that all represents the "inside" interfaces, grouped together. Easier to handla so to speak.
I hope you selected Destination/invert - and not source/invert. Double check - it is very easy to miss the small details :-( I know that for a fact. Anyway, if you "Destination/invert" is like "not" (notice the small "!" before All_LAN net" on the "Interface.jpg". So double check that your rule is identical except "LAN net" instead of "All_LAN net", including the "!".
Or to copy someone else:
QuoteLAN Interface inbound
Source -> Device IP
Destination -> Invert LAN
Protocol -> ANY
Action -> Block/Drop
A screenshot, it should be almost identical to yours, except the name
one more
You need to move the block rule BEFORE the first ip4 rule...
Like this?
Weeee..its now working, thank you SOOOOO much for your kind help and patience :-)