How to totally block internet access completely. Stumped.

Started by Atomical, February 03, 2021, 09:35:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 03, 2021, 09:35:53 PM Last Edit: February 03, 2021, 09:38:09 PM by Atomical
Hi All,

I have gone through numerous forum posts on this subject and I'm banging my head against the wall over it. I can get the rule to work but its still letting some internet traffic in..   I have a LAN rule set as per the screenshot below..



The issue is the device loses internet slightly, so say for instance they get a message on facebook it gets in, same with video calls initialising but obviously not acknowledging the answer.

Also can ping google 8.8.8.8 for instance.

Is there a surefire way to completely block internet access?

Hope someone has the answer I have blindly missed.
February 04, 2021, 09:01:58 AM #1
Do you have that rule above all other rules that let traffic out

and when you say "let trafic in" i asume you meen internal client is requesting the session and the response/notify get "in" that way
Qotom i7-7500u 16gb 128ssd
February 04, 2021, 09:15:27 AM #2
You have not understood the way firewall rules are ste up in OPNsense. Direction "IN" always is relative to the respective interface. So "IN" on LAN means comming from a client of your LAN, meant to leave OPNsense via a different interface.

Delete this nonsense and back to square one...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
February 04, 2021, 09:21:39 AM #3
Quote from: Atomical on February 03, 2021, 09:35:53 PM
Hi All,

I have gone through numerous forum posts on this subject and I'm banging my head against the wall over it. I can get the rule to work but its still letting some internet traffic in..   I have a LAN rule set as per the screenshot below..



The issue is the device loses internet slightly, so say for instance they get a message on facebook it gets in, same with video calls initialising but obviously not acknowledging the answer.

Also can ping google 8.8.8.8 for instance.

Is there a surefire way to completely block internet access?

Hope someone has the answer I have blindly missed.

You need to reset states or do a reboot after setting such a rule. Connections that were open before creating that rule, will still be possible because the OPNsense has states saved for those connections.
,,The S in IoT stands for Security!" :)
February 04, 2021, 09:09:59 PM #4 Last Edit: February 04, 2021, 09:21:03 PM by Atomical
Quote from: Gauss23 on February 04, 2021, 09:21:39 AM
You need to reset states or do a reboot after setting such a rule. Connections that were open before creating that rule, will still be possible because the OPNsense has states saved for those connections.

Thanks Gauss23 that was it, I wasn't resetting the states (Never crossed my mind) Also added in disable reply-to as well helped.

Quote from: chemlud on February 04, 2021, 09:15:27 AM
You have not understood the way firewall rules are ste up in OPNsense. Direction "IN" always is relative to the respective interface. So "IN" on LAN means comming from a client of your LAN, meant to leave OPNsense via a different interface.

Delete this nonsense and back to square one...

Thanks chemlud, your excellent knowledge of Firewalls surpasses my feeble attempt....... however Gauss23 hit it out of the park with his answer...
Print
Go Up Pages1
User actions