Blocking single device by IP access to Internet

[Taomyn]

I know this is asked in many different ways on the forum but none of them have helped and I cannot for the life of me get this to work.


I want to block one device, by IP, on my LAN, from accessing the Internet. I've tried a floating rule that blocks the IP as source, direction out, and I have tried a similar rule on the WAN tab. With logging enabled, the rule is never logged and the device continues to enjoy Internet access.


I'm suspecting another rule is allowing it and as such the block does not take effect - in both cases above I push the rule to the top to be sure it's used earliest.


Is there a way to simulate an access to see what rule gets applied by the firewall?

[chemlud]

0. The direction "out" is wrong, the directions are if you look at the traffic from the perspective of the interface.

1. Never is a rule on WAN needed.

2. Post a screenshot of your rules. Most likely the block rule is below some allow rule. Move th block rule to the top of the rules...

[Taomyn]

0. Excuse the dumb question but why is "out" wrong? It's the WAN interface so isn't "out" towards the Internet?
1. NAT puts all my rules in WAN, LAN is empty except for the two default rules
2. It is at the top as I stated, I've attached a screen shot of where my current rule is placed.

[chemlud]

Stateful firewall -> assess packets at FIRST interface it hits -> host initiates traffic -> hits LAN interface (direction: in) first...

[Taomyn]

Stateful firewall -> assess packets at FIRST interface it hits -> host initiates traffic -> hits LAN interface (direction: in) first...

Ok, still no matter what combination of floating/interface, direction/any, source/destination I use it never blocks the device. It's more frustrating because I have similar rules for blocking particular ports on the Internet for a whole interface and they work. I tried to clone one of those, swapped the "port" to be any and the source to be the LAN device, and still nothing.


So what should the rule be?

[hushcoden]

I want to block one device, by IP, on my LAN, from accessing the Internet. I've tried a floating rule that blocks the IP as source, direction out, and I have tried a similar rule on the WAN tab. With logging enabled, the rule is never logged and the device continues to enjoy Internet access.

No need a floating rule, try this:

   1) create an alias (you can see that's the IP of the device I'm blocking)

   2) create a LAN rule, defualt values and as source chose your alias

and please let us know if it works.

[Taomyn]

If I place it on the LAN interface it blocks the device's access to any services on the firewall itself e.g. the time service on 192.168.1.1:123, and I only want it blocking traffic out through WAN to the Internet - the firewall and other interfaces are fine to be accessible.

[Mitheor]

If I place it on the LAN interface it blocks the device's access to any services on the firewall itself e.g. the time service on 192.168.1.1:123, and I only want it blocking traffic out through WAN to the Internet - the firewall and other interfaces are fine to be accessible.

Do not use the ANY in the rule as ip dst.

There are some options. For example put your LAN as destination and invert.
Or create a new rule before the one already created and allow the traffic from that IP to the LAN.

[Taomyn]

So I changed the destination to !LAN net, and I can't see blocks for the local LAN, but so far it's only blocking Internet to a few IPs on port 443 and the device is still contacting the external service. FYI it's an IP base webcam that I want to block all outbound access to the Internet for. If I block the domains it uses with Pi-Hole the camera complains it can only be accessed internally but as domains can change I can't trust that, so I would expect the same complaint if I completely blocked its IP, but that's not what I see.


FYI, in the rule screen shot I changed the direction to "any" as a test to see if it helped, but I switched it back to "in".

[Mitheor]

Are you sure this device is being allowed to contact other destinations (non 443/TCP) in Internet?

Could you please upload another screenshot showing it (blur whatever is needed).

If you configure it like:

LAN Interface inbound
Source -> Device IP
Destination -> Invert LAN
Protocol -> ANY
Action -> Block/Drop

And apply, it should work.

[hbc]

Delete the default gateway from your ip cam and it won't phone home and access internet 

[marjohn56]

Providing the the user does not have more than one LAN that would work; however with two or more if he wants to see the image direct on another LAN there's a bit of an issue there. 

[Taomyn]

Thanks everyone for the help so far even though I still haven't got it working, but I'm not giving up, just taking a break from the firewall as it's doing my head in. I'll try and look at it again later this week, and as I'm having to work from home this weekend I really need for the firewall to be "stable", so best to leave it alone for now.

[curioustech]

The following are the perfect steps. The only thing I want to add is order.

Ensure rule you create the following steps mentioned below is sitting on top of pass LAN rule.

Are you sure this device is being allowed to contact other destinations (non 443/TCP) in Internet?

Could you please upload another screenshot showing it (blur whatever is needed).

If you configure it like:

LAN Interface inbound
Source -> Device IP
Destination -> Invert LAN
Protocol -> ANY
Action -> Block/Drop

And apply, it should work.

[Taomyn]

Hey everyone, just following up on this as I had a little free time this afternoon to work on this again.


I've been able to sort it out as per the recommendation above, and I think part of my problem were the connection states - making a change, then resetting the states, and then being patient was the trick in the end. I've also been able to tidy up and harmonise many of my old rules now that I can finally wrap my head around this.


Thanks again everyone.