Firewall block rules not working

[yeraycito]

NAS ( 192.168.1.3 - 192.168.1.6 )
Computer ( 192.168.1.2 )

I want to block all outgoing connections to my nas except one. By setting the nas blocking rules at the top, my entire local network is cut off from the internet. If I create a rule that allows traffic to the internet for my computer and put it at the top the computer has internet connection but no outgoing connection from the nas is blocked.

[alex303]

No wonder it doesnt work. In all of these block rules, you are blocking entire /24 subnet. That includes your whole lan network and nas. You typed your IP addresses in CIDR format and thats not how its done. You need to create alias containing the single ip address(es) you want to block, and then use that alias in a firewall block rule that should be placed above your "LAN_Net" rule.

[yeraycito]

No wonder it doesnt work. In all of these block rules, you are blocking entire /24 subnet. That includes your whole lan network and nas. You typed your IP addresses in CIDR format and thats not how its done. You need to create alias containing the single ip address(es) you want to block, and then use that alias in a firewall block rule that should be placed above your "LAN_Net" rule.

The same applies when using Aliases.

[alex303]

Can you show me the screenshot of your alias ?

[cookiemonster]

An alias for the single ip is suitable but not strictly necessary. alex303 is right, /24 means the whole network.
You need only the ip or ip/32 for it to describe the single ip. Either in the rule or as the alias definition.

[alex303]

The same applies when using Aliases.

You clearly didnt understand what i told you in my previous post regarding alias type.

192.168.1.3/24 is not the same as 192.168.1.3

Adding 192.168.1.3/24 in your firewall block rule or alias will block your entire subnet. And it does.
Adding 192.168.1.3  in your firewall block rule or alias will block only the client with that IP.

You firewall rules are total mess. Especially the first rule that will allow ALL clients in your subnet to exit on port 7844. Fourth rule from the top is completely pointless and should be deleted.

Again. This is what you have to do:

Rule 1 - Change from 192.168.1.3/24 to 192.168.1.3 and leave port 7844

Rule 2 - Change from 192.168.1.3/24 to 192.168.1.3

Rule 3 - Change from 192.168.1.6/24 to 192.168.1.6

Rule 4 - Delete

Rule 5 - Dont touch

If you are using DHCP on that interface, make sure you create static mappings for those IPs and tie them to their respective MAC addresses in order to prevent client IP address change which will render your firewall rules useless.

[yeraycito]

The same applies when using Aliases.

You clearly didnt understand what i told you in my previous post regarding alias type.

192.168.1.3/24 is not the same as 192.168.1.3

Adding 192.168.1.3/24 in your firewall block rule or alias will block your entire subnet. And it does.
Adding 192.168.1.3  in your firewall block rule or alias will block only the client with that IP.


You are absolutely right, the way you explain it works correctly. To block devices you have to do it through Aliases, it doesn't work through ips.

[alex303]

It works without alias too. See post from cookiemonster.

[yeraycito]

It works without alias too. See post from cookiemonster.

It cannot be configured by ip.

[Milkwyrm]

Then change all the /24's to /32 so it only applies to the one IP address.

[alex303]

Then change all the /24's to /32 so it only applies to the one IP address.

This is exactly what cookiemonster suggested him to do in post 5. But again. He is not reading or understanding what we are saying to him.

[Milkwyrm]

You're right. I skimmed past that and only saw the post with the subnet stripped off. i.e. xxx.xxx.xxx.xxx
CookieMonsters post should have ended this thread.

I was hoping my somewhat blunt response would drive home the solution though.