OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: GRIZZLE33 on July 18, 2018, 05:11:12 am

Title: Firewall block rule for specific ip addresses
Post by: GRIZZLE33 on July 18, 2018, 05:11:12 am

I have 5 ip cameras that I do not want to "Phone Home"

I have them on the following IP addresses

192.168.1.15
192.168.1.16
192.168.1.17
192.168.1.18
192.168.1.19

I would like to be able to restrict any outside internet access to them, and allow them to connect to my NVR locally.

I was hoping to add a firewall block rule, however I can't seem to find out how to do that.

Thanks in advance.

Title: Re: Firewall block rule for specific ip addresses
Post by: JasMan on July 18, 2018, 07:42:00 am

If your NVR is in the same subnet as your IP cams, the easiest way would be to remove the gateway IP address (and maybe DNS) from your IP cams.

Otherwise it depends on how your firewall is configured. Is every IP in your 192.168.1.0 subnet allowed to access the Internet? Than you have to create an deny rule for the group of IPs that are not allowed. The easiest way would be an alias containing those IPs. Move the deny rule before the allowed rule.

You can do this also with one rule. Create an alias (e.g. HTTP_clients) with the IPs, that are allowed to access the Internet. Change your rule from

Source: LAN_net
Destination: Any
Service: HTTP/HTTPS

to

Source: HTTP_clients
Destination: Any
Service: HTTP/HTTPS

You've to add new clients with Internet access to the alias manually then. But it prevents new IoT devices to phone home as soon as you've connected them.