Firewall/NAT

Hi, I have managed to setup M0n0wall on my soekris net 4501.
All is working well.
I want to be able to block traffic (web port 80) for 1 IP address.
This is my setup
(http://www.tcscomputers.be/monowall.png)
I want to be able to have ip 192.168.11.49 not to use the internet. He however can use to network for local resources.
I tried to add firewall rules. Block port 80 on ip 49 But when I google everything keeps working.
What do I do wrong??
(http://www.tcscomputers.be/rules.png)

Specifying source port is almost always the wrong thing to do, and in this case it is wrong.

Change the source port to Any and the destination port to 80.

A setup like you are doing will not prevent users from using proxies to get around your rules.

What can I do for users not to get around my rules??

Also change the destination to 11.49 won't get me to block internet for this computer.
(http://www.tcscomputers.be/rules2.png)

Looks like that Linksys router you've got behind m0n0wall is doing NAT, so the only IP address m0n0wall will ever see on its LAN port is 10.0.0.40. Obviously, your block rule won't work then.

Either get rid of the Linksys, or configure it in such a way that it doesn't do NAT (which may then mean that you'll have to add a static route to your m0n0wall so that it can reach the network behind the Linksys). Or block that user's web access on the Linksys (if possible).

When I disable NAT on the linksys router. I cannot longer surf the internet.
Where do I setup the Route? Do I make a route on the firewall side? Or do I make the route on the Linksys Side?

Both have the option in them to set a route. Or do I need to set a route in Both?

When you disable NAT on a Linksys (or similar) router, you are placing it in routing mode. The problem you are going to have then is that if you do not have public IPs on both of its interfaces, you cannot use the internet because the private IPs you can use are not routable over the network.

The problem you are going to have then is that if you do not have public IPs on both of its interfaces, you cannot use the internet because the private IPs you can use are not routable over the network.

Sorry but this is not correct.  The Mono is still performing NAT. The problem is the rules on the mono. You have allowed your LAN out, but to the Monowall, it's LAN network is 10.0.0.0/24.  Your simplest option is to replace the Linksys router with a network switch.  However to get it working with your existing setup, what you need to do, is first add a static route on the Mono to 192.168.11.0/24 gateway 10.0.0.40 and also enable "Bypass firewall rules for traffic on the same interface" in the advanced page.  Next you can add the rules to allow and block your traffic, but you will have to enter the network manually rather than picking LAN network from the drop down.