Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Block Internal IP Range from Accessing Internet
« previous
next »
Print
Pages: [
1
]
Author
Topic: Block Internal IP Range from Accessing Internet (Read 7632 times)
pbolduc
Newbie
Posts: 42
Karma: 4
Block Internal IP Range from Accessing Internet
«
on:
April 21, 2017, 10:12:27 pm »
Hi,
Is it possible to take a range of IP's on a class C subnet such as 192.168.1.229-192.168.1.254 and allow only allow that range to access the WAN port?
While having a second rule that deny's access to those devices in the IP range of 192.168.1.2-192.168.1.228 from not being able to access the internet?
For instance, only allow the router and the assigned DHCP pool access to the internet, while all other devices that might be statically assigned are refused internet connection.
I've attempted to create these firewall rules by specifying the IP ranges in either the Host(s) or Network(s) alias type and I've placed those Alias's within a the appropriate Firewall Rule policy under LAN to enable and disable each range of specified IP's listed in the Firewall Alias.
I've also moved the Deny Policy above all allow policies and it still doesn't seem to stop the traffic. I'm baffled.
«
Last Edit: April 21, 2017, 11:11:44 pm by pbolduc
»
Logged
pbolduc
Newbie
Posts: 42
Karma: 4
Re: Block Internal IP Range from Accessing Internet
«
Reply #1 on:
April 22, 2017, 01:29:37 am »
What I have done in the mean time is I have only allocated the LAN subnet to use 30 hosts by giving the network mask a subnet of 255.255.255.224 or /27. That way only 30 hosts can exist on the LAN between 192.168.1.1 and 192.168.1.30. At this point I am unable to keep PC's on the same network and create an ACL that only allows a certain range of IP's from accessing the WAN port. So as a work around, I create a small network and control that small network with DHCP MAC Address registration.
«
Last Edit: April 22, 2017, 01:56:38 am by pbolduc
»
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Block Internal IP Range from Accessing Internet
«
Reply #2 on:
April 22, 2017, 10:20:15 am »
Hi!
I don't really understand what you are looking for: 30 random clients in LAN with WAN access? Or 30 SPECIFIC clients with WAN access?
If you have constantly the same 50 clients, then hand out IPs by MAC (see DHCP server) and sort them in two groups based on an ALIAS, one group with and one group without internet access (firewall rules based on Aliases...).
More info necessary, I guess ;-)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
pbolduc
Newbie
Posts: 42
Karma: 4
Re: Block Internal IP Range from Accessing Internet
«
Reply #3 on:
April 22, 2017, 08:02:05 pm »
Hi,
What I was attempting to do was to isolate a range of computers in the same subnet from having internet access while only allowing those in another range in the same subnet to have internet access. I don't think this is possible though and probably an easier solution would just be to vlan two networks to achieve this VLAN1 (Has internet) & VLAN2 (Has Isolated network access but not Internet). So I've opted for an easier solution, where I control the PC's on a small subnet and use DHCP MAC registration for those I want to connect to the network and internet. The other PC's can that just need network access can make due with a static IP address and no gateway.
«
Last Edit: April 23, 2017, 04:39:49 am by pbolduc
»
Logged
djGrrr
Full Member
Posts: 112
Karma: 22
Re: Block Internal IP Range from Accessing Internet
«
Reply #4 on:
April 27, 2017, 05:24:57 am »
I believe the problem with the rules you had is that you were using block, with a gateway set, if you remove the gateway from these block rules, i suspect they should work as expected.
Logged
pbolduc
Newbie
Posts: 42
Karma: 4
Re: Block Internal IP Range from Accessing Internet
«
Reply #5 on:
April 27, 2017, 05:21:47 pm »
Thank you, I will look into this.
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Block Internal IP Range from Accessing Internet
«
Reply #6 on:
April 27, 2017, 05:44:35 pm »
You can have e.g. reserved IPs based on MAC for those which should have internet access and DHCP for those which should not and firewall rules based on Aliases for these two groups...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Block Internal IP Range from Accessing Internet