Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 3013 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking internet to a specific LAN IP with exceptions

Nicholas Bethard

I want to be able to mostly block internet access for a specific LAN IP address. It was pretty easy to set up a Reject rule to do this for all traffic from that IP going LAN to WAN and that works perfect... All internet access is blocked for that IP. 

When I try to add exceptions so that specific sites will work (via FQDN), it doesn't work. To start, I'm just trying to allow *.google.com and it doesn't work. 

I also tried creating another firewall rule to specifically allow *.google.com for that IP address, and placed it above the reject rule in the list, but it still doesn't work. 

Anyone have any tips on how to make this work? Thanks in advance. 



This thread was automatically locked due to age.
Parents
  • 0

    Sometimes using an IP address in the source network fails without errors. What I suggest is you create clientless user for that ip, add that to the fire wall rule in the allowed user field and put the network in the source network field. The destination looks partially correct and will allow some of google stuff through while you debug.

    ian

    fixed auto spellchecker error.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I honestly can't believe it, but this seems to have worked. The first time I tried it, it didn't seem to, but after tinkering a bit more it started working (at least for Google, I still need to play with Zoom more). How bizarre.

    Is this a bug (exceptions not working properly when the device is in the Source Networks and Devices field, but it does work when the device is configured as a clientless user and populated under Match Known Users)?

    Just for clarity, here's how I have the rule set up. The Zoom group under exclusions/destination networks includes *.zoom.us and *.cloudfront.net per Zoom's documentation, but their website still only half works on the ipad. 

  • 0 in reply to Nicholas Bethard

    Nevermind, this still doesn't work reliably. I tried adding some other sites (e.g., Netflix) to the exclusions and it didn't work. What am I doing wrong??

Reply Children
  • 0 in reply to Nicholas Bethard

    Hi Nicholas,

    netflix does its own thing and exclusions do not work. My TV works with netflix using allow all (web proxy) and https without scanning.

    Do you have do not scan audio and video unticked in WEB general?

    Ian

    There is a FQDN group defined in the XG for netflix.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML