OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: pbolduc on April 21, 2017, 10:12:27 pm
-
Hi,
Is it possible to take a range of IP's on a class C subnet such as 192.168.1.229-192.168.1.254 and allow only allow that range to access the WAN port?
While having a second rule that deny's access to those devices in the IP range of 192.168.1.2-192.168.1.228 from not being able to access the internet?
For instance, only allow the router and the assigned DHCP pool access to the internet, while all other devices that might be statically assigned are refused internet connection.
I've attempted to create these firewall rules by specifying the IP ranges in either the Host(s) or Network(s) alias type and I've placed those Alias's within a the appropriate Firewall Rule policy under LAN to enable and disable each range of specified IP's listed in the Firewall Alias.
I've also moved the Deny Policy above all allow policies and it still doesn't seem to stop the traffic. I'm baffled.
-
What I have done in the mean time is I have only allocated the LAN subnet to use 30 hosts by giving the network mask a subnet of 255.255.255.224 or /27. That way only 30 hosts can exist on the LAN between 192.168.1.1 and 192.168.1.30. At this point I am unable to keep PC's on the same network and create an ACL that only allows a certain range of IP's from accessing the WAN port. So as a work around, I create a small network and control that small network with DHCP MAC Address registration.
-
Hi!
I don't really understand what you are looking for: 30 random clients in LAN with WAN access? Or 30 SPECIFIC clients with WAN access?
If you have constantly the same 50 clients, then hand out IPs by MAC (see DHCP server) and sort them in two groups based on an ALIAS, one group with and one group without internet access (firewall rules based on Aliases...).
More info necessary, I guess ;-)
-
Hi,
What I was attempting to do was to isolate a range of computers in the same subnet from having internet access while only allowing those in another range in the same subnet to have internet access. I don't think this is possible though and probably an easier solution would just be to vlan two networks to achieve this VLAN1 (Has internet) & VLAN2 (Has Isolated network access but not Internet). So I've opted for an easier solution, where I control the PC's on a small subnet and use DHCP MAC registration for those I want to connect to the network and internet. The other PC's can that just need network access can make due with a static IP address and no gateway.
-
I believe the problem with the rules you had is that you were using block, with a gateway set, if you remove the gateway from these block rules, i suspect they should work as expected.
-
Thank you, I will look into this.
-
You can have e.g. reserved IPs based on MAC for those which should have internet access and DHCP for those which should not and firewall rules based on Aliases for these two groups...