Block access

[JoK]

Hi

I got a camera that i like to block accessing the Internet, how do I do that? I really dont want to mess things up, thats why i ask :-)

Thanks

[fabian]

Variant 1: Give it a static DHCP lease and block access from that IP address.

Variant 2: put it into a network where no device has internet access

[lar.hed]

Maybe this can help:

https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet

[JoK]

Maybe this can help:

https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet

It has a static IP adress, but how do I set a rule, or other way to block that one IP adress to access Internet? Its a camera and the block should only be to the internet, not LAN. If I try to type in the specifik IP address 192.168.1.4 there is a dropdown box out at the right...?? Sorry, I´m a noob in FW rules

[lar.hed]

Firewall -> Rules -> WAN interface, create a new rule that only has the static IP in source, outgoing and block?

[lar.hed]

Okay, so I decided to test this my self: I tried to block my mobile wifi from connecting to Internet - failure. No matter how I did (floating, alias, direct IP, source, destination, out or in) made any difference.

I'm with JoK on this: How am I supposed to block one static IP from accessing internet?

[lar.hed]

And another google search found the answer on this forum:
https://forum.opnsense.org/index.php?topic=17664.0

I should not put this rule in WAN, but in LAN (or in my case ALL_LAN which is a group of interfaces), direction IN, Source is the IP I like to block (or in my case I made an Alias list of hosts, as in the thread mentioned above). Done.

[JoK]

Thanks for your reply, any words on what the dropdown box is for right besides the box where the IP adress is typed in??

[JoK]

This one

[lar.hed]

24

[JoK]

24

Thanks, but what is it?

[JoK]

I tried to make the rule as suggested and turned on logging, the rule seems to block IP adress 192.168.1.102...and not 192.168.1.4....

I give up ...🙁

[lar.hed]

24

Thanks, but what is it?

It is the netmask for the IP adress, look here for example:
http://www.sput.nl/internet/netmask-table.html

[lar.hed]

Don't give up - we are here, it just not real time all the time ;-)

This  is how I have done this: I created an Alias to collect all IPs I like to stop from accessing internet inside one place - this way I only alter the Alias and never any rules.

I then have a firewall rule on the interface (which in my case happens to be a firewall group of more than one interface).

I included the rule itself on the third attachment, so you might follow a bit easier.

(and then I wonder how I include the attachment in this text but that is another story I guess...)

[JoK]

Oh, so you made an Alias or "group" that can contains all the IP's you want to block, yea thas sounds easier than just make a rule for each IP, and you can add more IP's along the way..right?

Whats the "Source/invert"

The "destination, you have marked as "All_LAN" is that, in my case, just LAN...I only have one? :-) ...I would had guessed this should have been Internet