Hello, i have a problem
basically i have a ip connecting from one of my devices, (it appears in : opnsense panel > reporting > traffic )
created an alias (blockhacker-alias) with the ip range > 200.1.1.1-200.225.225.225 ( want to block every ip set coming from it)
then went to firewall > rules > wan > lan and created the block ruleset for in and out rules using such alias
also went to firewall > rules > floating (floating does not depends of any interface so you can massively apply any ruleset for any interface using floating rules)
created the block ruleset with the alias i created previously, saved and applied all the rules
and despite of it, the ip 200.1.1.1 (it is a weird ip) still appearing in opnsense panel reporting > traffic
what can i do to effectively block such ip range? suricata does nothing (the ip connects still)
i need to block it because it is a RAT virus pinging home or stealing data
thank you
Can you post screenshots of the logs in question that led you to believe this was an issue and also post screenshots of the rules please.
Thank you!
it is an issue because i need to block that ip range (its a virus) and it is not working, somehow the ip is not getting blocked
plese help me i am trying to protect me against some bad people
screenshots here....
https://imgur.com/a/UGolBcy
longstory short, those ip adresses are from my ISP CARRIER, and somehow looks like someone from others ips from the same carrier are connecting to my mobile device...
the true ip adresses are in the screenshot, i typed 200.x.x.x as example for security reasons
Why that crossposting?
https://forum.opnsense.org/index.php?topic=31389.0
Your block rules should be the top of your rule set.
Rules are done in order from top to bottom.. block rules should be before accept rules unless the accept rule needs to trigger before a block rule.
I hope that makes sense.
all the block rules are on top so they have priority above others...
however should i use the first match? or not?
Quote from: slackadelic on December 08, 2022, 02:02:32 PM
Your block rules should be the top of your rule set.
Rules are done in order from top to bottom.. block rules should be before accept rules unless the accept rule needs to trigger before a block rule.
I hope that makes sense.
here are the rules please let me know if i am doing something wrong... thanks
https://imgur.com/a/NUy0IWJ
1: floating rules config
2:rule config detailed (it show subnet mask so it should block all the ip range from 172.0.0.0 to /32 - > everything the rest
am i wrong? why it is not blocking it?
i am concerned cause the ip is of my same carrier and it is like someone trying to mitm , (hostname says "google video" but there is not google on my country (it is banned) and it is VERY suspicious a local ip from my internet service provider to have that name, implying it is a residential ip and not a legit google....
if someone can help me... ill be thankfull