How to block outgoing access to single fixed IP?

#1

So I have several devices over which I have no control accessing internet over my router, I want to globally disallow access to one single fixed internet IP address, nothing more nothing less. After hour of googling and inputting firewall rules out the wazoo I got to the realm of suggestions of using reverse proxies and such to achieve the result and I just give up. All my hosts on the lan can still ping this wan ip.

Is there any easy way to accomplish this?
when any host connected to my router tries to ping aaa.bbb.ccc.ddd they will get destination unreachable.

Thanks

#2

Using Luci

  1. select Network->Firewall
  2. select Traffic Rules
  3. scroll down to New Forward Rule
  4. select Add and edit
  5. change source zone to LAN , destination zone to WAN and set the destination address to "AAA.BBB. CCC. DDD" and action to reject.
  6. save and apply the changes
2 Likes
#3

That is the very 1st thing I tried however the address is still pingable.

Is this because the router is not my dns?

The way I have it set up is I run unbound which uses cloudflare as upstream on the router, and 2 pi-holes. The dhcp on the router assigns the 2 pihole addresses as dns servers, and each pihole queries the router as the only upstream server.

on the piholes I use dnsmasq redirects like this to return my router's ntp when any of the timeservers my smart sockets query thousands time an hour are queried

address=/ntp-g7g.amazon.com/192.168.1.1
address=/kindle-time.amazon.com/192.168.1.1
address=/time1.google.com/192.168.1.1
etc

could i use this to redirect the ip to some nonexistent ip in order to block access to it ?

#4

Did you enter an IP address, or a hostname?

@mbo2o's instructions specified IP.

  • Did you Save/Apply the firewall?
  • Can you screenshot the rule, or show it from /etc/config/firewall ?

What does this have to do with:

:question:

EDIT - the rule noted was from LAN to WAN, this is a Global Drop

config rule                                              
        option name 'Drop_outgoing_single_IP'                 
        option family 'ipv4'                        
        option proto 'all'                               
        option src '*'                                   
        option dest '*'                             
        option dest_ip 'xxx.xxx.xxx.xxx'                              
        option target 'DROP'
1 Like
#5

You're right the dnsmasq redirects didn't have anything to do with anything I was just grasping at straws.

The rule you provided works exactly as I wanted though, trying to ping the ip now yields request timed out.

Thanks!

(all this was about is one of our flatmates started to play some new game and it shows up trying to access ip in china every second or two in pihole logs so we were just trying to see if we could block it without uninstalling the game)

1 Like
#6

Excellent! I literally gleaned that rule from one I use to block the Chinese phoning-home of a DVR-viewing app!

Glad you got it working!

:+1:

1 Like
#7

edit: the ip started being accessible again, but I tracked that to vpn, which makes it a question for another forum.

#8

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dns_filtering

Better use REJECT to avoid connection timeouts.

#9

I might end up having to do the dnsmasq blocking thing, not sure if event that will work, because the issue is tied to vpn, with vpn off the firewall rules work properly, however when I turn vpn on, for obvious reason it stops working since all traffic is now a stream of data to 1 ip of vpn provider.

I might still be able to block it, cause I leak "my" (the leaked adresses are cloudflare's) dns on purpose when connected to vpn, since I bypass dns ISP completely (machines query pihole, pihole queries router, router queries unbound server, unbound server queries 1.1.1.1, so even while connected to vpn, it uses my own dns servers in order to facilitate the ad-blocking.

I'm at work atm, but will have a look at the dnsmasq blocks in openwrt or on the piholes or on both for good measure later :wink:

#10

Where is the VPN client running? If that's on the router, you might be able to create some virtual network interface, and assign that the rogue IP address. In that case it will be handled as local IP.

#11

That's the thing, the vpn clients are running individually on each machine and running the vpn globally on router is not an option as I need to control the vpn country and vpn state individually on every machine.

I don't have access to every machine on the network per se, I could persuade my flatmate to just get rid of the game, but I'd like to solve this so that I know how to do it in the future or when uninstalling the offending app is not an option.

Basically, given the info in posts above I need to come up with a solution that blocks access to a single outgoing IP regardless of vpn state, without the need to modify anything on the computers trying to access it themselves, hope that makes sense.

#12

Configure a locally routed DNS server via DHCP or manually and prohibit the VPN connection to change your DNS settings.

#13

No it doesn't. The whole point of a VPN is that routers/firewalls between the VPN server and client can't do anything except blocking the whole VPN. So if you can't control server or client, you're screwed.

2 Likes
#14

Yeah I see that what I want is not possible now.

Given that it's my flatmate's data potentially being breached not mine, and I informed him about it, and that I spent far more time trying to solve the issue than I initially anticipated I'm thinking I'm pretty much done with this whole thing.

Thanks for everyone's input!