Blocking single device by IP access to Internet

Started by Taomyn, June 13, 2020, 06:40:45 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
July 28, 2022, 11:41:26 AM #15
Hi, I am adding to this post.
i also have the same problem and i have created the rule following what is stated in this post but the machine still navigates.

i am attaching two screenshots.
April 20, 2023, 02:12:38 PM #16
I just followed your advice guys and just to say: it works like a charm:

  • IoT devices that are with DHCP 192.168.1.81-240 blocked everything but 192.168.1.0
  • IoT cameras that are fixed IP range: 192.168.1.15-20 blocked everything but 192.168.1.0
May 30, 2025, 07:31:06 PM #17
Quote from: Mitheor on June 14, 2020, 03:50:13 PMIf you configure it like:

LAN Interface inbound
Source -> Device IP
Destination -> Invert LAN
Protocol -> ANY
Action -> Block/Drop

And apply, it should work.

5 years later, I'm hoping you're still around. The GUI seems much more complex now.

This seems to be a good place to start with rules.
-Sophos XG115 running the latest version of OPNsense
-no VLANs
-single router, single subnet

I want to start by making a rule to prohibit a single Home Assistant-connected device from accessing the internet.

I think I get how to use aliases to expand the rule to a range of IP addresses.

As of now, the rule is disabled. I know to enable it, but I would be very grateful for confirmation--more likely, corrections.




May 30, 2025, 07:31:32 PM #18
Screen 2:
May 30, 2025, 07:34:01 PM #19
Quote from: curioustech on June 15, 2020, 04:14:09 PMThe following are the perfect steps. The only thing I want to add is order.

Ensure rule you create the following steps mentioned below is sitting on top of pass LAN rule.


QuoteAre you sure this device is being allowed to contact other destinations (non 443/TCP) in Internet?

Could you please upload another screenshot showing it (blur whatever is needed).

If you configure it like:

By this, do you mean:
(I know to enable it later)
May 30, 2025, 08:03:57 PM #20
Given "Last active" date for the members involved, I hope you're not in a hurry...
You might as well have started a new thread.
Actually, you could have just tried your rule and tested it (see outcomes in the logs, which requires logging to be enabled, and a description would help too).
Asking for review is going to make for a slow process...
Apart from the comments above, the rule looks fine (only you can decide if blocking TCP is enough). Order is fine too.
A pre-requisite is that the device always gets that IP (with a static IP or a reservation outside the DHCP range).
May 30, 2025, 09:33:54 PM #21 Last Edit: May 30, 2025, 09:37:14 PM by umbjm77
Quote from: EricPerl on May 30, 2025, 08:03:57 PMGiven "Last active" date for the members involved, I hope you're not in a hurry...
You might as well have started a new thread.

Point taken. Thanks for replying.

Quote from: EricPerl on May 30, 2025, 08:03:57 PMActually, you could have just tried your rule and tested it (see outcomes in the logs, which requires logging to be enabled, and a description would help too).

Will do. It's my first rule, so I'm afraid of locking myself out. My next question was about whether to add the /32 to the IP, but it was added for me when I enabled the rule. Next, I'll change the IP to my laptop's to test it.

At least I understand that the devices I want to limit require address reservations!

May 31, 2025, 01:21:08 AM #22
There's a built-in safeguard (that can be disabled) to prevent lockout: anti-lockout rules.
You should see them in the automatically generated rules.
'Experiment and test' is a good way to learn.
Print
Go Up Pages 1 2
User actions