Trying to block IP address on my LAN using firewall but when I do it blocks all of the LAN network addresses


#1

Here is what I’m trying to do. I want to build a VYOS router/Firewall for home. I want to set parental controls by filtering my sons devices using IP addresses or MAC addresses of his devices. Currently, I have this setup on virtual box for testing before I build it. Whenever I try to block the 192.168.10.54 address it also blocks the other virtual machine I have setup.

Hi, Here is my setup:
I

eth1 is lan - 192.168.10.0/24
eth0 is wan - dhcp
Linux box on lan - 192.168.10.54
Linux box 2 lan - 192.168.10.50

I applied this rule to the IN on eth1:
set interfaces ethernet eth1 firewall in name fwtest-1

I created a rule to block local IP 192.168.10.54:

name fwtest-1 {
rule 2 {
action reject
source {
address 192.168.10.54
}
}
vyos@vyos# sh nat source
rule 1 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
translation {
address masquerade
}
}

Any help would be appreciated.
Thanks


#2

Hi chappyca,

filtering by mac or IP is not effectively locking out anybody, it’s just an obstacle, nothing else. I’m against any censorship in general when it comes done to that type of stuff. I’m only writing about the technical aspect, just want to make that clear.

Do you want to block all traffic ingress on eth1?
Is rule 1 attached to interface eth1?


#3

Hi Hagbard,

Thanks for your quick response. After playing around all night, I think I figured it out. I will post my code below:
name fwtest-1 {
rule 3 {
action reject
log enable
source {
address 192.168.10.52
}
time {
starttime 13:59:00
stoptime 14:59:00
}
}
rule 10 {
action accept
source {
address 192.168.10.0/24
}
}
}
state-policy {
established {
action accept
}
related {
action accept
}
}

I believe my issue was I needed to have a following rule to allow the rest of the network to connect. I also added in a time range which is working.
Thanks,


#4

After double checking this rule, I noticed the time starttime is not working. AS soon as I enter the time into the rule it bypasses the rule. IS this a bug? I have the timezone updated to the correct time. I checked the date on the Vyos system to test and it is not working as it should.
If I remove the time part the firewall will block 192.168.10.52. As soon as I enter the time part into the rule it bypass the rule.
Weird, I’m a newbie to Vyos. I’m probably missing something. Any help appreciated.


#5

Hi chappyca,

if your goal is keeping your kid away from undesirable content (as a parent I can sympathize) while still allowing internet access, I’d recommend looking at a filtering proxy solution. Google on “DansGuardian” which uses a squid proxy and managed blacklist/whitelist.

Maybe you could set up all traffic to go through the filtering proxy by default and use vyos settings to allow certain devices unlimited access… just a suggestion.

Good luck.

DRC