How to Schedule Internet Access?
-
Like Dok said, post your LAN rules. All of them.
I set this up with my kids devices. It works well, just ask 'em. I set up an alias i called "notkids" with all of the device IPs I wanted to be able to access the internet all the time.
I set up two pass rules.
First an allow all rule for the notkids alias.
Second an allow all rule for all IPs on my lan scheduled from 6A to 10PAt 10 the streaming of screaming animes stops, DEAD.
-
…just to add:
Don't try scheduled BLOCK rules in the firewall, the states will survive, the internet connection is not completely broken, any established video streams, messenger contact whatsowever will survive whole night long
https://forum.pfsense.org/index.php?topic=93336
-
Now, after reading the above posts, I am even more confused as to how to do what I want to accomplish because I don't want to obviate any of my existing rules (the default pfSense rules for a new installation)–this is why I was hoping someone would provide detailed instructions on how to do what I want to do.
If I create a schedule which I might name "Day" that highlights all the days of the current month and time between 5 am and 11 pm and save it, then create a firewall rule that references the "Day" schedule, has a 'pass' option, applies to the 'LAN' interface, 'IPv4' IP version, 'TCP' protocol, uses a source address of a computer 'Single host or alias' to which I want the rule to apply (with address, e.g., '192.168.1.7/127'), leave Destination as 'any', leave Destination port range blank, and fill in a description, would this work without negating my other existing rules for the computers (assuming I would need to create a similar rule for each computer I desire to be on the schedule)?
-
1/ Use an alias for the computers you want covered and use that as source.
2/ TCP != internet. It won't work. Even DNS will be broken. Do NOT limit that to TCP.
3/ 192.168.1.7/127 is completely invalid. IPv4 has /32 for a single host. -
O.K, thank you for pointing out the problems, but what are the correct solutions (e.g., the "127" in the host address entry appears to be fixed so I am unable to change it)? Should I use Source Type 'network' (which would allow me to change 127 to 32)? Should I set Protocol to 'any?' Can I use a separate rule for each computer or do I have to use an alias–if the latter, how do I create it?
-
…--this is why I was hoping someone would provide detailed instructions on how to do what I want to do.
Isn't that what I posted?
Post your rules, and one of us will help you. It's easy. It takes two rules, unless you have specific requirements you haven't shared.
-
O.K, thank you for pointing out the problems, but what are the correct solutions (e.g., the "127" in the host address entry appears to be fixed so I am unable to change it)?
-
O.K., so I used doktornotor's advise on how to create an alias (thank you), but do I really need to create the alias for all the devices for which I don't want the schedule blocking to apply as almabes did, or can I just create and use the alias for the devices I want blocked per the schedule as doktornotor seems to imply? It seems to me that the former method would turn into a bit of a headache, as I would have to add an address to the alias every time I add a new device I don't want blocked to my network. Would checking 'not' under Source in my firewall rule accomplish this or do I really need to create two rules?
-
No, you just need one alias for the blocked devices, used to allow access on the schedule. You set up another allow rule without any schedule with source using NOT that alias.
-
Thanks–I've got to go to work now, so I'll take this matter up again this evening.
-
Now, please understand that unless you have a complete control over the IPs used on all machines, anyone can bypass the limited access by grabbing an IP outside of the limited hosts alias.
-
Now, please understand that unless you have a complete control over the IPs used on all machines, anyone can bypass the limited access by grabbing an IP outside of the limited hosts alias.
Thus the reason for me doing it the way I did it.
I have way more than 5 devices on my network. Establishing an alias with the devices was no big deal. I also set up DHCP reservations to keep my unlimited access device IPs from potentially changing. Security and control require administration.My old way was even more effective.
I unplugged the cable leading to their switch. Killed access immediately. -
Mmmm . . . yes, well I suppose that if there was a way to use a device's MAC address instead of its IP address the blocking might be more effective. I'm just trying to discourage my kids from staying up all night playing online games–if they are savvy enough to figure out that changing their computer's IP address might allow internet access late at night, I'll find out about it after not too long anyway. Even using almabes method has holes in it, as if an allowed device is shut off then someone could use its IP address to gain access. I might just try to use one rule to block all my devices as I seldom stay up late myself at my age.
I assume that using these rules won't affect my default rules (e.g., "bogon," etc.)?
Also, I highlighted the days of the week of the current month and set the times of days in the scheduler; will this keep the schedule in perpetuity or do I need to do something else?
Thanks!
-
Mine just stay up all night playing LAN games, now…until I threaten to flip the breaker to their area, or wake their asses up at 7:00 AM with Tchaikovsky's 1812 overture. Cannon fire at full volume can be effective alarm clocks.
Now that there's a managed switch in their area, I could just shutdown their ports, too, but I like Tchaikovsky.
-
If they're savvy enough to change an IP address they're savvy enough to change a MAC address. At least they'll be learning something.
-
If you (DHCP) hand out IPs only to known MACs (don't allow new MACs and static ARP) and they don't know valid MACs on the subnet not always turned on: How would they get internet access?
-
All they have to do is listen for a while and they'll have all the info they need. Sure, they might have to wait for a window when the spoofable MAC is offline. It is best classified as an inconvenience, but by no means is it meaningful security.
-
…and they don't know valid MACs on the subnet...
Ping-sweep and check the arp table. Then they know.
You need to isolate them to a separate network (physical or VLAN) AND prevent access to the unlimited network to have a chance.
-
By all means: If I find them whole night at their computer "doing homework" I would think about something like that.
But if I find them now and then with an offline game or translating some wiki articles for a software project I sleep pretty well with my design of security. I'm not the NSA.
And if they have considerably higher computing skills than I do, they deserve to be online :-D
There has to be some basic trust between kids and parents, otherwise your education is completely wrong. As on the level of society: If you think you have to (are entitled to) watch every step and move there is something severly going wrong on a very basic level…
-
There has to be some basic trust between kids and parents, otherwise your education is completely wrong.
It's you that talk about restricting your network, I only answered your question… ::)
Micromanaging the network down to MAC-address level means work and a hassle as soon as anything needs to be changed. That administrative effort could instead be put on logging that restrictions are obeyed. If that proves to not be enough, a separate VLAN is more effective and less work than trying to filter out specific nodes in a common LAN.
For me all of this is still some years away. My oldest is only 5 yet. :)
