Block range of LAN hosts from ANY Internet access

[RGN01]

What is the best way to block all hosts in a continuous block of LAN IPv4 addresses from any internet access?

I'm new to OPNsense so am probably missing something basic but have been struggling with this and appear to be going around in circles without success!

My network is simple - 1 LAN, 2 WAN configured on a gateway as a failover group. I have a set of IP cameras that I want to ensure have NO internet access. They are in a continuous address range. IPv4 only, no IPv6

My attempts have involved:
- setting an alias for the cameras. I've used URL table and a list of hosts.
- I've set up block rules on the two WAN interfaces in various combinations (in, out and any) and placed these rules at the top of the stack

And the devices in the block of addresses simply continue to ping internet addresses.

I'm clearly missing something basic and fundamental but am stumped so any guidance or help appreciated.

Thanks in advance.

[Greelan]

Block them on the LAN interface

[RGN01]

Thanks for your response, Greelan

I've tried that and a device in range keeps on pinging Amazon.

See screenshot attached - this is the top rule and I have enabled it and applied it.

[allebone]

what are the 6 rules you havent expanded?

[RGN01]

Auto-created rules - see attachment (can't figure out how to post inline)

[Greelan]

The device might still be pinging, but are the pings getting through?

You don’t have any relevant floating or group rules that are applying in priority?

[allebone]

Also check there are no NAT rules for ICMP.

[RGN01]

Yes, pings are succeeding, as are http and https sessions.

Please see the expanded Floating Rules tab - all auto-generated (although I'm unclear what that means in context of the header message)

I'm not familiar with Group Rules - where are these shown please?

[RGN01]

I've checked, no NAT rules.

Thanks for all your help, folks! Much appreciated!

[Greelan]

If you haven’t created any firewall groups, then you won’t see any rules

Are you sure your Alias is right? Maybe test with a separate rule that just uses the device’s IP directly?

[RGN01]

I've not created Groups.

I have tested with specific IP addresses, too. Both by cloning the rule and changing the address and by starting afresh. I am careful to always make the new rule the top one, too.

[Greelan]

And applied the changes after moving them, right?

[RGN01]

Yes, I should have said that, sorry.

I'm stumped - again, thanks for your help and ideas.

[Greelan]

You mentioned you have a multi WAN gateway group. I wonder if there is some routing issue relating to that, eg the camera traffic is only being blocked out of one WAN interface but not the other? I don’t have experience with a mutli WAN setup but presumably you want the block to apply to the gateway group? Do you need to select that as the Gateway in the rule?

[RGN01]

I have tried adding 4 separate rules to the WAN circuits, too - each an In/Out pair blocking this range and that also didn't help.

I'm starting to wonder if there is some kind of corruption to the config and whether it may be better to simply start afresh and rebuild from a new installation.