Block range of LAN hosts from ANY Internet access

Started by RGN01, January 06, 2021, 10:01:05 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
January 06, 2021, 10:01:05 PM
What is the best way to block all hosts in a continuous block of LAN IPv4 addresses from any internet access?

I'm new to OPNsense so am probably missing something basic but have been struggling with this and appear to be going around in circles without success!

My network is simple - 1 LAN, 2 WAN configured on a gateway as a failover group. I have a set of IP cameras that I want to ensure have NO internet access. They are in a continuous address range. IPv4 only, no IPv6

My attempts have involved:
- setting an alias for the cameras. I've used URL table and a list of hosts.
- I've set up block rules on the two WAN interfaces in various combinations (in, out and any) and placed these rules at the top of the stack

And the devices in the block of addresses simply continue to ping internet addresses.

I'm clearly missing something basic and fundamental but am stumped so any guidance or help appreciated.

Thanks in advance.
January 06, 2021, 10:08:01 PM #1
Block them on the LAN interface
January 06, 2021, 10:24:10 PM #2
Thanks for your response, Greelan

I've tried that and a device in range keeps on pinging Amazon.

See screenshot attached - this is the top rule and I have enabled it and applied it.

January 06, 2021, 11:03:46 PM #3
what are the 6 rules you havent expanded?
January 06, 2021, 11:06:34 PM #4
Auto-created rules - see attachment (can't figure out how to post inline)
January 06, 2021, 11:13:57 PM #5
The device might still be pinging, but are the pings getting through?

You don't have any relevant floating or group rules that are applying in priority?
January 06, 2021, 11:17:17 PM #6
Also check there are no NAT rules for ICMP.
January 06, 2021, 11:18:55 PM #7
Yes, pings are succeeding, as are http and https sessions.

Please see the expanded Floating Rules tab - all auto-generated (although I'm unclear what that means in context of the header message)

I'm not familiar with Group Rules - where are these shown please?
January 06, 2021, 11:28:12 PM #8
I've checked, no NAT rules.

Thanks for all your help, folks! Much appreciated!
January 06, 2021, 11:49:32 PM #9
If you haven't created any firewall groups, then you won't see any rules

Are you sure your Alias is right? Maybe test with a separate rule that just uses the device's IP directly?
January 07, 2021, 06:44:19 AM #10
I've not created Groups.

I have tested with specific IP addresses, too. Both by cloning the rule and changing the address and by starting afresh. I am careful to always make the new rule the top one, too.
January 07, 2021, 06:53:22 AM #11
And applied the changes after moving them, right?
January 07, 2021, 06:55:53 AM #12
Yes, I should have said that, sorry.

I'm stumped - again, thanks for your help and ideas.
January 07, 2021, 07:00:38 AM #13
You mentioned you have a multi WAN gateway group. I wonder if there is some routing issue relating to that, eg the camera traffic is only being blocked out of one WAN interface but not the other? I don't have experience with a mutli WAN setup but presumably you want the block to apply to the gateway group? Do you need to select that as the Gateway in the rule?
January 07, 2021, 07:03:56 AM #14
I have tried adding 4 separate rules to the WAN circuits, too - each an In/Out pair blocking this range and that also didn't help.

I'm starting to wonder if there is some kind of corruption to the config and whether it may be better to simply start afresh and rebuild from a new installation.
Print
Go Up Pages1 2
User actions