Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 3019 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking internet to a specific LAN IP with exceptions

Nicholas Bethard

I want to be able to mostly block internet access for a specific LAN IP address. It was pretty easy to set up a Reject rule to do this for all traffic from that IP going LAN to WAN and that works perfect... All internet access is blocked for that IP. 

When I try to add exceptions so that specific sites will work (via FQDN), it doesn't work. To start, I'm just trying to allow *.google.com and it doesn't work. 

I also tried creating another firewall rule to specifically allow *.google.com for that IP address, and placed it above the reject rule in the list, but it still doesn't work. 

Anyone have any tips on how to make this work? Thanks in advance. 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    You need to create a firewall rule on top of the Reject rule to allow DNS traffic.

    After that, you can just add an exclusion in the Reject rule for required URLs and services(HTTP and HTTPS for web traffic).

  • 0 in reply to FormerMember

    This makes total sense! But I still can't get it to work. It seems that things start acting odd as soon as I enable the DNS rule. I created two rules similar to what you suggested. "iPad" is the IP address assigned to the iPad being used to test this.

    If I disable both rules, browsing on the iPad works properly. If I enable only the DNS rule, browsing mostly doesn't work (Google still works for some reason, but as soon as I try to click on a link from a search, it doesn't work).

    The DNS rule I created is very simple, see below. Why is explicitly accepting DNS breaking browsing?

  • +1 in reply to Nicholas Bethard

    I think I figured out the answer using Yash's post as a clue. Instead of a separate rule like Yash suggested, I added the DNS servers I use (1.1.1.1 and 8.8.8.8) as well as the DNS service to the reject rule's exclusions (as well as ICMP for testing). Now it works. Hooray.

  • 0 in reply to Nicholas Bethard

    I suspect part of the issue is the XG is not part of your DNS chain. You should be pointing the device DNS at the XG DNS and then point the XG DNS at your choice of DNS providers.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Nicholas Bethard

    I suspect part of the issue is the XG is not part of your DNS chain. You should be pointing the device DNS at the XG DNS and then point the XG DNS at your choice of DNS providers.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
Unfiltered HTML