Rules + Schedules Ineffective?
-
I guess it works for me since I am blocking an iPod which doesn't keep keep a connection all the time. Turns off the radio to save power I am guessing. I will keep this thread in mind if I ever need to do this.
-
Ran a test. Created a PASS rule for 15 minutes that allowed Teamspeak to connect. Modified the BLOCK rule to stop ALL Teamspeak traffic. Prior to the 15 minute window, access was blocked. During the 15 minute window, access was permitted and wait for it….......AFTER the 15 minute window expired, access was still permitted. :-\ To check that the rules are correct and will stop, I reset the states and bingo! No connection.
Next I will try a similar approach on the WAN side of the network as per comments I made above.
EDIT:::::
OK. Tried the WAN Rule and same results. TS still persists. Then to test that I don't have a stupid rule somewhere (there are only 4 to review) I reset the state so that if a rule WAS letting the traffic through, it would still do so but resetting kills the link! I can only draw the conclusion that the rules work and are applied in the right order.NEXT was to try the dangerous option above setting the state to "NONE" in advanced. Same result. TS still persists. Reset states and POP! No connection. Further, the connection remains down until the allow window comes around and it connects and remains connected even when the allow window closes and the block rule ought to apply.
I have even tried the States=NONE in advance on the WAN side.
Resetting the rules, then rebooting has not helped.
-
What version are you running?
-
What version are you running?
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6Copied from the Dashboard.
More information. Other rules that should have prevented TS from gaining access failed along with other rules such as those to block ARMA. Also, I had posted a thread weeks ago about Minecraft getting past - which it still does.
Since the Minecraft post, I have reinstalled (three times) pfSense and have duplicated the problem after each reinstall. Is pfSense broken?
Only two NICs in the box. Modem cannot be reached - tried and checked. IP addresses are mapped to MAC addresses and a block that prevents unauthorised IP addresses from getting out - so that option is deleted. When I capture packets or watch how the LAN connects, the IPs in the alias are those that connect successfully and retain their connection when the schedule expires.
Not sure what else I can offer…..............
-
Anyone have a fix for this? I have the same trouble with Minecraft and others. When the scheduled time to block Minecraft and many other sites arrives any open sessions continue… If you disconnect it will correctly block any new connection attempts until the rule is no longer 'scheduled'.
I have a client that has had trouble with some WiFi Squaters on the their open connection and I am able to successfully block any new connections after hours but open connections remain.
Any ideas? Thanks!
BTW - running 2.0.1
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6 -
Same problems here. The rules prevent new connections, but do not interrupt connections already in progress.
So most anything at Google using Chrome will continue to work after the blocking schedule because it
does everything over a single connection.Trying the state tracking:none next.
-
Same problems here. The rules prevent new connections, but do not interrupt connections already in progress.
So most anything at Google using Chrome will continue to work after the blocking schedule because it
does everything over a single connection.Trying the state tracking:none next.
Yes - I have been able to do the same thing. New connections blocked, current connections persist. Is pf broken or a bug or???
-
Please post a screenshot of your rules.
Most probably the ordering of the rules is wrong.If you follow the explanation of cmb it will work.
-
I just tried to set this up for myself and also can't make pfSense disconnect SOME active connections when the allowed schedule time runs out.
I am using pfSence 2.0.1 12/14/11 and I have attached a screen shot of my rules.
The Always Allowed rule includes a list of IP addresses that are always allowed (AlwaysOut). This works as expected.
The Allow Internet rule is just as simple as it looks. It allows Internet access during the 'School Allowed' schedule. It works to allow access but does not cut off SOME of the already established connections.
The No Internet rule basically just stops everything - overriding the default allow LAN to any rule.
The problem is that the Allow Internet rule will allow some things to stay connected. Skype and Minecraft for example will stay connected after the schedule should take the rule out of play as do already established Minecraft server connections. New connections are blocked. Most streaming radio but not all do drop once the schedule takes the rule in-active.
Am I just doing something stupid or is there a problem with pfSense?
-
I have this EXACT problem with pfSense 2.0.1 (i386), trying to schedule my son's access to the internet. World of Warcraft connections still persist after my block rule has been turned on by the scheduler (which sits above all other rules for the LAN interface) until my son logs out. Has anybody figured out a fix for this??
-
Problem is that 2.01 don't cut existing network sessions.
I haven't tested 2.1 yet, but if I recall correctly JimP have said that should do the work.Have you tested to do filter reload, after this scheduler kicks in?
-
Just another Dad here facing the same online addiction issue of my son.
Version -
2.0.2-RELEASE (i386)
built on Fri Dec 7 16:30:14 EST 2012
FreeBSD 8.1-RELEASE-p13Packages:-
HAVP antivirus 0.91_1 pkg v1.01
Lightsquid 1.8.0 pkg v.2.32
squid 2.7.9 pkg v.4.3.3
squidGuard 1.4_4 pkg v.1.9.2I have been playing with pfsense for about a month. Everything works like a charm except time based restriction. My son plays a lot of online games and I cannot get his butt off the computer. I'm the IT guy in the house and my wife is the boss. Anyway, we want to setup a time restriction access on the online games but allow WWW access so he can do his homework (well, really ?) I have put over 12+ hours on trying everything to get it to work to no avail. I've been read many discussions but just found this thread an hours ago. I'm glad this is not just me finding the problem. In fact, I have observed the exact same thing as you guys said here. Regardless of "pass" or "block" rule, the existing state will not be killed. Under System\Advance\Misc, the "schedule state" is NOT check, meaning it should clear the state when time definition expires. However, it is not working as it should. Basically, it just let the current state live forever. I can duplicate this 100%.
I also tried the time base ACL in squidguard. But it basically only filter HTTP traffic…..
I thought about using QoS to squeeze down the online game bandwith but it is not time based......
I thought about setting up an old Cisco router to throttle bandwidth just for him but config is clumsy especially when the boss ask me to adjust time of blocking......
I have no idea about what to try next. I'm really tempted to put Norton online family for time restriction. I don't prefer this way but it may the only way for now.
Anyone in this discussion has worked something out yet ?
-AC
-
There is a cron scheduler, I wander if you could setup a state flush just a minute after your block rule goes into effect.
-
Just thought I'd check in and see if anyone has been able to get pfSense to disconnect active sessions once the allowed time has expired. I read through the info on 2.1 but didn't see any mention of it.
I'll be trying it out next week sometime and will post back with the results but by the looks of the documentation the problem will still exist with 2.1… Sadly....
The scheduling feature is a good one for anyone trying to get control of their kids Internet access but it is also important in the business world... I have a client that wants to keep an open network during business hours but then shut it down when the office closes at 5:00. They still want certain machines to be live on the Internet after hours.
I have been unable to get pfSense to close the correct sessions but allow others to continue...
Here's hoping it was somehow addresses in 2.1.
-
I havent tested whether active sessions can be closed, but an alternative might be to throttle back to just 1 bit per sec as you cant throttle back to 0 which might be as good as.
Have you also seen this thread?
http://forum.pfsense.org/index.php?topic=7406.0I'm trying to find the webpage I found a while back when I wanted to do some traffic shaping which allowed me to set up rules so my website traffic has priority over lan users on a schedule and this worked well for me.
If I find it again, I'll post the link.
Edit:
I think this was the webpage I used, also note in the comments a mention of using schedules.
http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/ -
My solution look like this (attached image) using :
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013First created aliases for local ip addresses that is affected with time based restrictions. Created 2 aliases, one for allow internet and the second for stop internet. In the both aliases I put the same ip addresses. Of course dont forget to put those addresses in static DHCP lease.
Then created 2 schedules and in first added time range (05:00 - 23:59) when internet is allowed. In the second schedule added time range when internet is not allowed (00:00 - 05:00).
Be sure that option in System->Advanced->Miscellaneous - Schedules is NOT checked.
In Firewall->Rules->Lan created 2 new rules right after default anti-lockout rule.
First rule allow trafic (PASS) on interface LAN, IPv4, protocol : any, Source : alias for allow, and with schedule to allow internet. Second rule is to (BLOCK) on interface LAN, IPv4, protocol : any, Source : alias for stop, and with schedule to stop internet.
-
Does it also work without the "Allow_Internet" rule?
Without the "Allow_Internet" rule, traffic will be allowed by the ordinary "allow all on LAN" rule at times when it is not blocked. But maybe in that case the system will not know which are the states that need to be "switched off" when the block rule comes into effect.
Would be interesting to know - I should try it myself ;) -
Does it also work without the "Allow_Internet" rule?
Without the "Allow_Internet" rule, traffic will be allowed by the ordinary "allow all on LAN" rule at times when it is not blocked. But maybe in that case the system will not know which are the states that need to be "switched off" when the block rule comes into effect.
Would be interesting to know - I should try it myself ;)I tried it without that ""Allow_internet" rule and then open states remain open…. somehow.
Also I noticed that some states from floating rules remain open (sometimes) with that both allow and stop rules active.
Thinking of moving those allow-stop rules to floating or wan area to see what will happen.
-
There is a cron scheduler, I wander if you could setup a state flush just a minute after your block rule goes into effect.
Well, that's exactly what I did!
My solution is as follows:
-
Create an alias with all the IPs that should be blocked. Be also sure that you defined the corresponding static mappings in your DHCP server configuration. Let's call this alias 'Children'
-
Create a schedule named 'AccessDenied' and define it to whatever you need. In my case it's 22:00 - 07:00, each and every day.
-
Create a rule on your WAN interface like this: Action Block / Protocol Any / Source Any / Destination 'Children' / Schedule 'AccessDenied'
-
Create the reverse rule on you LAN interface: Action Reject / Protocol Any / Source 'Children' / Destination Any / Schedule 'AccessDenied'
-
As some of you already noted it, these rules will only block/reject new connections but won't kill existing one. This is because pfSense is doing 'statefull packet inspection (SPI)'. This means that, to determine if a packet should pass thru, it will first look at the existing states and then look at the firewall rules. If states shows that the packet is an answer to a previously authorized packet, it will pass thru, regardless any rule.
So, in addition of the rules we already put in place, we also need to kill all the states from any IP belonging to the 'Children' list.
I wrote the following (quick and dirty) script to do the job…for i in `pfctl -t Children -Ts` do echo "Killing states from/to $i" pfctl -k $i done
… and put in /etc as pf_KillStates. (be also sure to chmod it with the value 777)
- Finally, create a new cron job to launch /etc/pf_KillStates every day at 22:01 (1 minute after the beginning of the 'AccessDenied' schedule).
Note that it seems that the command```
pfctl -t Children -Tspfctl: Table does not exist.
Hope this will help some dads ;) PS: You may have a useful look at the pfctl manpage (as I did!) http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl
-
-
- Create a rule on your WAN interface like this: Action Block / Protocol Any / Source Any / Destination 'Children' / Schedule 'AccessDenied'
Note: This rule is not needed in any normal installation. The WAN will already have a general block at all times, and in any case there will be no traffic initiated from the real public internet with destination IPs in 'Children', because 'Children' is a bunch of private IP addresses in the LAN behind pfSense.