Block Internet Access v23.05.0

skper · November 13, 2023, 9:10pm

Hi,
I am trying to block some users in the LAN not getting internet access. Here's my setup...Network, Firewall, Traffic Rules: Protocol: any
source zone: LAN
source address: the IP of the user
destination zone: WAN
destination address: IP of the main router, WAN
action: drop
But, it did not work. They can still access the internet. But, my old firmware version, can block access. What is going on with the latest version? or my setup is wrong. Any help is greatly appreciated. Thanks.

lleachii · November 14, 2023, 12:29am

Setting the IP of the "main router" would be incorrect - assuming you desire want to block the whole Internet. You need to block everything (i.e. remove IP of the router). Setting just DST as WAN should work.

skper · November 14, 2023, 2:47am

Hi lleachii, thank you for your help, but I tried your guide and still did not work. They can still have access to the internet. I even tried myself blocking my PC and still access the internet. I tried with the protocols on and port 80, but can still access the net.

lleachii · November 14, 2023, 2:48am

What guide?

I referenced your rule in Post No. 1.

Usually web access on most websites (i.e. this one) does not use port 80 (in the year 2023). You'll need to show these configs you reference.

cat /etc/config/firewall

Example:

config rule                  
        option family 'ipv4'
        option target 'DROP' 
        list proto 'all'    
        option name 'Drop-test'
        option dest 'wan'
        option src_ip 'xxx.xxx.xxx.xxx'

skper · November 14, 2023, 3:14am

This guide.
Setting the IP of the "main router" would be incorrect - assuming you desire want to block the whole Internet. You need to block everything (i.e. remove IP of the router). Setting just DST as WAN should work.

lleachii · November 14, 2023, 3:18am

Thank you for quoting the previous post twice; but in order to assist you, are you about to provide the information requested?

Lucky1 · November 14, 2023, 5:26am

I found blocking by MAC redress the simplest
will do ipv4 & ipv6
I just drop forwards from lan to wan with MAC XXX & XX & XX ETC

flygarn12 · November 14, 2023, 7:46am

That will work at least until they change their mac. Which is more and more common with the introduction of mac hiding for public networks etc.

Normally with a zone based firewall you put these local only devices in a zone without “zone to wan” forwarding.

Lucky1 · November 14, 2023, 9:23am

if they can change there mac
it's so easy to look up the arp table a lookup one to steal
an IP won't help ether
anyway could block all and add a forward as a reverse option
mac or ip etc
add to allow only

flygarn12 · November 14, 2023, 11:32am

That is why you put them in a single isolated zone and only give them connection to that zone, no matter if they get ethernet or wifi and no matter what mac or IP they use they are trapped forever in that zone.

skper · November 15, 2023, 2:31am

Sorry, don't mean to post twice, my apology. I am a beginner.
Where can I go for the cat /etc/config/firewall you mentioned? Do I need to enable my SSH?

tapper · November 15, 2023, 7:52am

You could post a screen shot of your luci interface.
/etc/config/firewall is the file that holes all the rules for your firewall.

skper · November 15, 2023, 1:50pm

Tapper, thanks! I will check on that later.