How to Schedule Internet Access?
-
I have five desktop computers on my home network–they all have fixed IP addresses. I would like to have my pfSense router block three of these computers from being able to access the Internet every night between the hours of 11 pm and 5 am. I understand that I will need to create a schedule and then reference the schedule via a separate firewall rule for each computer on which I desire blocking according to the schedule. I am not trying to block the computers from accessing other devices on my LAN--only the Internet (i.e., WAN).
Would someone please be so kind as to explain to me in sufficient detail how to do this because I have tried to create a schedule and firewall rules but this has not worked. Please be as specific as possible as to all required schedule and firewall rule settings and assume nothing--call it "Create an Internet Access Schedule for Dummies," if you will.
And yes, I have already searched this forum for the answer I seek, however, I have not found it. I am using the latest nano version of pfSense.
Thank you very much for your help in this matter.
-
So post the screenshots of the rules you created. (LAN => LAN does not go through the firewall so you cannot block that anyway.)
-
Like Dok said, post your LAN rules. All of them.
I set this up with my kids devices. It works well, just ask 'em. I set up an alias i called "notkids" with all of the device IPs I wanted to be able to access the internet all the time.
I set up two pass rules.
First an allow all rule for the notkids alias.
Second an allow all rule for all IPs on my lan scheduled from 6A to 10PAt 10 the streaming of screaming animes stops, DEAD.
-
…just to add:
Don't try scheduled BLOCK rules in the firewall, the states will survive, the internet connection is not completely broken, any established video streams, messenger contact whatsowever will survive whole night long
https://forum.pfsense.org/index.php?topic=93336
-
Now, after reading the above posts, I am even more confused as to how to do what I want to accomplish because I don't want to obviate any of my existing rules (the default pfSense rules for a new installation)–this is why I was hoping someone would provide detailed instructions on how to do what I want to do.
If I create a schedule which I might name "Day" that highlights all the days of the current month and time between 5 am and 11 pm and save it, then create a firewall rule that references the "Day" schedule, has a 'pass' option, applies to the 'LAN' interface, 'IPv4' IP version, 'TCP' protocol, uses a source address of a computer 'Single host or alias' to which I want the rule to apply (with address, e.g., '192.168.1.7/127'), leave Destination as 'any', leave Destination port range blank, and fill in a description, would this work without negating my other existing rules for the computers (assuming I would need to create a similar rule for each computer I desire to be on the schedule)?
-
1/ Use an alias for the computers you want covered and use that as source.
2/ TCP != internet. It won't work. Even DNS will be broken. Do NOT limit that to TCP.
3/ 192.168.1.7/127 is completely invalid. IPv4 has /32 for a single host. -
O.K, thank you for pointing out the problems, but what are the correct solutions (e.g., the "127" in the host address entry appears to be fixed so I am unable to change it)? Should I use Source Type 'network' (which would allow me to change 127 to 32)? Should I set Protocol to 'any?' Can I use a separate rule for each computer or do I have to use an alias–if the latter, how do I create it?
-
…--this is why I was hoping someone would provide detailed instructions on how to do what I want to do.
Isn't that what I posted?
Post your rules, and one of us will help you. It's easy. It takes two rules, unless you have specific requirements you haven't shared.
-
O.K, thank you for pointing out the problems, but what are the correct solutions (e.g., the "127" in the host address entry appears to be fixed so I am unable to change it)?
-
O.K., so I used doktornotor's advise on how to create an alias (thank you), but do I really need to create the alias for all the devices for which I don't want the schedule blocking to apply as almabes did, or can I just create and use the alias for the devices I want blocked per the schedule as doktornotor seems to imply? It seems to me that the former method would turn into a bit of a headache, as I would have to add an address to the alias every time I add a new device I don't want blocked to my network. Would checking 'not' under Source in my firewall rule accomplish this or do I really need to create two rules?
-
No, you just need one alias for the blocked devices, used to allow access on the schedule. You set up another allow rule without any schedule with source using NOT that alias.
-
Thanks–I've got to go to work now, so I'll take this matter up again this evening.
-
Now, please understand that unless you have a complete control over the IPs used on all machines, anyone can bypass the limited access by grabbing an IP outside of the limited hosts alias.
-
Now, please understand that unless you have a complete control over the IPs used on all machines, anyone can bypass the limited access by grabbing an IP outside of the limited hosts alias.
Thus the reason for me doing it the way I did it.
I have way more than 5 devices on my network. Establishing an alias with the devices was no big deal. I also set up DHCP reservations to keep my unlimited access device IPs from potentially changing. Security and control require administration.My old way was even more effective.
I unplugged the cable leading to their switch. Killed access immediately. -
Mmmm . . . yes, well I suppose that if there was a way to use a device's MAC address instead of its IP address the blocking might be more effective. I'm just trying to discourage my kids from staying up all night playing online games–if they are savvy enough to figure out that changing their computer's IP address might allow internet access late at night, I'll find out about it after not too long anyway. Even using almabes method has holes in it, as if an allowed device is shut off then someone could use its IP address to gain access. I might just try to use one rule to block all my devices as I seldom stay up late myself at my age.
I assume that using these rules won't affect my default rules (e.g., "bogon," etc.)?
Also, I highlighted the days of the week of the current month and set the times of days in the scheduler; will this keep the schedule in perpetuity or do I need to do something else?
Thanks!
-
Mine just stay up all night playing LAN games, now…until I threaten to flip the breaker to their area, or wake their asses up at 7:00 AM with Tchaikovsky's 1812 overture. Cannon fire at full volume can be effective alarm clocks.
Now that there's a managed switch in their area, I could just shutdown their ports, too, but I like Tchaikovsky.
-
If they're savvy enough to change an IP address they're savvy enough to change a MAC address. At least they'll be learning something.
-
If you (DHCP) hand out IPs only to known MACs (don't allow new MACs and static ARP) and they don't know valid MACs on the subnet not always turned on: How would they get internet access?
-
All they have to do is listen for a while and they'll have all the info they need. Sure, they might have to wait for a window when the spoofable MAC is offline. It is best classified as an inconvenience, but by no means is it meaningful security.
-
…and they don't know valid MACs on the subnet...
Ping-sweep and check the arp table. Then they know.
You need to isolate them to a separate network (physical or VLAN) AND prevent access to the unlimited network to have a chance.
