OPNsense Forum

English Forums => General Discussion => Topic started by: frozen on February 13, 2024, 08:44:11 pm

Title: I can't figure out how to block IP addresses
Post by: frozen on February 13, 2024, 08:44:11 pm

Hello there, I am trying to learn how to block individual IP addresses and it isn't working for me.  I want to block any DNS servers my Amazon Fire Tablet is using to sneak past my Pi-hole, starting with 8.8.8.8 as a test run.  But it's not working.

I created an Alias, and inserted 8.8.8.8 as the content (reduced this to just 1 IP after noticing my entire list did not work either)

Then, I went to Rules -> Floating and thought I did everything right?  Picture is attached for all settings.

It does not work.  8.8.8.8 is fully reachable, pingable, everything, even after hitting apply.  Why?  And needless to say ads are getting through via 8.8.8.8 which Fire Tablets add as a forced 3rd DNS server

Pics attached of both Alias and Rule

Thanks for any help

I tried changing to Host(s) instead of URL(IPs) with no change, still lets it through

Title: Re: I can't figure out how to block IP addresses
Post by: meyergru on February 13, 2024, 10:45:42 pm

You should consult the documentation on alias types (https://docs.opnsense.org/manual/aliases.html).

The type you use ("URL (IP)") is used to specify the URL for a list of IPs (aka block list), not one single or a group of IPs you specify yourself. Thus, OpnSense tries to fetch the "URL" you gave (in vain, since there is no web server at 8.8.8.8 ) and interpret that as a list of IPs.

You probably want to use the "Host" alias type and list the IPs. Remember to include Google IPv6 IPs as well.

Also, I would write the rule only to block incoming traffic on LAN, not "any" on LAN and WAN and enable logging for the rule, so you can watch it work in Firewall->Log->Live View.