Firewall rules not working(not blocking ip)

[guest35930]

Hello, i have a problem

basically i have a ip connecting from one of my devices, (it appears in : opnsense panel > reporting > traffic )

created an alias (blockhacker-alias) with the ip range > 200.1.1.1-200.225.225.225 ( want to block every ip set coming from it)

then went to firewall >  rules > wan > lan and created the block ruleset for in and out rules using such alias

also went to firewall > rules > floating (floating does not depends of any interface so you can massively apply any ruleset for any interface using floating rules)

created the block ruleset with the alias i created previously, saved and applied all the rules

and despite of it, the ip 200.1.1.1 (it is a weird ip) still appearing in  opnsense panel reporting > traffic

what can i do to effectively block such ip range? suricata does nothing (the ip connects still)

i need to block it because it is a RAT virus pinging home or stealing data

thank you

SCREENSHOTS HERE:


https://imgur.com/a/UGolBcy

[Patrick M. Hausen]

I wonder what range you really want to capture with the expression 200.1.1.1-200.225.225.225?

All addresses starting with 200 are either 200.0.0.0/24 as a network definition or 200.0.0.0-200.255.255.255 as an IP range. I'm not quite sure what OPNsense will make out of yours.

HTH,
Patrick

[guest35930]

longstory short, those ip adresses are from my ISP CARRIER, and somehow looks like someone from others ips from the same carrier are connecting to my mobile device...

[guest35930]

the true ip adresses are in the screenshot, i typed 200.x.x.x as example for security reasons

[guest35930]

but yes the range is /24

[tiermutter]

As the docs states, 200.1.1.1-200.225.225.225 should work for HOSTS, but maybe not for NETWORKS.
You also should kill states after applying deny rules.

[Patrick M. Hausen]

Again: what is 172.1.1.1 - 172.224.224.224 supposed to achieve? That is not how IP addressing works.

172.0.0.0-172.255.255.255 or 172.0.0.0/8

[guest35930]

Again: what is 172.1.1.1 - 172.224.224.224 supposed to achieve? That is not how IP addressing works.

172.0.0.0-172.255.255.255 or 172.0.0.0/8

im newbie... googled a lot... youtubed a lot... found nothing, i am just trying to apply the range... from 172.0.0.0 to all the ip so i can kick those remote administration tools....

[guest35930]

As the docs states, 200.1.1.1-200.225.225.225 should work for HOSTS, but maybe not for NETWORKS.
You also should kill states after applying deny rules.

here are the rules please let me know if i am doing something wrong... thanks

https://imgur.com/a/NUy0IWJ

1: floating rules config
2:rule config detailed (it show subnet mask so it should block all the ip range from 172.0.0.0 to  /32 - > everything the rest

am i wrong? why it is not blocking it?

i am concerned cause the ip is of my same carrier and it is like someone trying to mitm , (hostname says "google video" but there is not google on my country (it is banned) and it is VERY suspicious a local ip from my internet service provider to have that name, implying it is a residential ip and not a legit google....