Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules + Schedules Ineffective?

    Scheduled Pinned Locked Moved Firewalling
    53 Posts 25 Posters 33.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      craigjl77
      last edited by

      Good Luck OzRattler, may all your overs be wicket maidens…. ;-)

      1 Reply Last reply Reply Quote 0
      • P Offline
        podilarius
        last edited by

        I would like to see that in the base code of a rule with a schedule.
        I have used this and it works great. Thanks.

        Phil.Davis, this was not to block incoming, but to block outgoing once the block schedule was in place. While it is true it is not needed in normal rule sets, but any rule that has a schedule on it, needs to have the states killed once it is supposed to be blocking. Or at least an option to kill the states. I can think of a situation where the rule should not drop states. This would be in a rule sending traffic to another shaping queue. This might help make sure the correct traffic shaping is used, but would interrupt the current session, which is probably unwanted.

        1 Reply Last reply Reply Quote 0
        • E Offline
          EG
          last edited by

          @pere:

          I tried it without that ""Allow_internet" rule and then open states remain open…. somehow.
          Also I noticed that some states from floating rules remain open (sometimes) with that both allow and stop rules active.
          Thinking of moving those allow-stop rules to floating or wan area to see  what will happen.

          Pere, did you make any headway with your workaround for the "Schedule States" bug? I thought I'd re-invented your solution, but it only worked in testing. When I dropped my rules into a live environment they are failing to remove active states. I feel that I will need to hardcode a crontab script to call pcftl.

          On a side note… can anyone point me to the documentation for pfSense's version of the pfctl command?

          Err

          –
          Erreu Gedmon

          Firewalls are hard...
          but the book makes it easier: https://portal.pfsense.org/book/

          1 Reply Last reply Reply Quote 0
          • N Offline
            NotAnAlias
            last edited by

            I'm on 2.1.5 and the issue still persists. At 8pm I want the connections to be passed over to a 2nd vpn since the first vpn gets very slow at night.

            It correctly works if I turn a machine on past 8pm, the connection goes through the 2nd vpn. However for computers already on, they don't move over.

            Is there a fix without using cron?

            1 Reply Last reply Reply Quote 0
            • D Offline
              doktornotor Banned
              last edited by

              @NotAnAlias:

              Is there a fix without using cron?

              Use 2.2

              https://redmine.pfsense.org/issues/3558

              1 Reply Last reply Reply Quote 0
              • N Offline
                NotAnAlias
                last edited by

                Schedules do work properly with no hassle on 2.2 release.
                Thanks pfsense devs  :D

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dunc
                  last edited by

                  They still don't work quite right for me in 2.2-RELEASE. I set up a schedule for 5pm to 10pm, then created two rules: one passes TCP packets, the other passes UDP packets. Outside the scheduled time the rules don't exist and the default block rule drops packets. When 10pm rolled around, the TCP rule took effect, the TCP states were reset, and further TCP connections were blocked. But the UDP states continued operating and the game the rule was intended to disable continued running.

                  I ran pfctl -s rules from the console and the pass rules for both TCP and UDP are gone, so it's apparently just that the existing UDP states were not reset when the schedule expired.

                  1 Reply Last reply Reply Quote 0
                  • O Offline
                    OzRattler
                    last edited by

                    Updating that I have today moved across to 2.2 and just fixing other minor issues - such as the Console won't display options etc.

                    I will be watching how the Schedules go especially since I toughened them up via CRON and flushing ALL states after the start time of any set schedule.

                    Finger's are crossed!!!!

                    Oz


                    …insanity is so confusing...

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jdusablon
                      last edited by

                      I'm on 2.2.6 and behavior persists with certain state types. I understand the logic behind the handling of states, but the schedule should work.

                      Have a son who has learned to use betternet vpn, which keeps a state open, unfortunately. In turn, this allows him full internet access after he's supposed to have it.

                      EDIT:
                      The bug supposed to address this (will find number and add to this post) seems not to have addressed the issue at all.

                      In System - advanced - misc: (which BTW is a stupid place to bury this option) the option "schedule states" shows an unchecked checkbox by default.  According to the explanation:

                      "By default, when a schedule expires, connections permitted by that schedule are killed. This option overrides that behavior by not clearing states for existing connections"

                      The default behaviour of schedules should be as explained, but active states remain persistent after schedule block occurs.

                      Is this a reopen bug issue? I don't think the bug should be closed.

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        Joelcento
                        last edited by

                        pfsense - 2.2.6

                        I've removed the default allow rule and setup allow rules permitting access.

                        Works great for all but UDP.

                        There appears to be no solution so I'm now going to play with placing the default allow back in and utilising the traffic shaper to kill data flow between certain times.
                        I have my Fingers crossed.

                        If there's a thread that I've missed with a solution (apart from the cron job) please let me know!

                        Thank you!

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          thecableguy
                          last edited by

                          Has this been fixed or has someone found a reliable work-around?

                          1 Reply Last reply Reply Quote 0
                          • G Offline
                            gbreadman
                            last edited by

                            I'm on 2.2.6 and still experiencing this issue.. : https://forum.pfsense.org/index.php?topic=108943.0
                            Waiting for a solution..

                            1 Reply Last reply Reply Quote 0
                            • T Offline
                              thecableguy
                              last edited by

                              Any updates?

                              I am having an issue using a scheduled block on Steam ports -states not clearing automatically..

                              1 Reply Last reply Reply Quote 0
                              • T Offline
                                thecableguy
                                last edited by

                                Could someone please have a look at my LAN rules?

                                I have Steam ports as an alias ' Steam' on 2x different schedules..

                                The goal is to block Steam at a scheduled time however, the states do not flush ?

                                Am I doing something wrong?

                                Rules.JPG
                                Rules.JPG_thumb

                                1 Reply Last reply Reply Quote 0
                                • T Offline
                                  thecableguy
                                  last edited by

                                  Anyone?  :o

                                  1 Reply Last reply Reply Quote 0
                                  • T Offline
                                    thecableguy
                                    last edited by

                                    Anyone have an update on the UDP states issue?

                                    1 Reply Last reply Reply Quote 0
                                    • T Offline
                                      thecableguy
                                      last edited by

                                      Bump?

                                      1 Reply Last reply Reply Quote 0
                                      • NeoDudeN Offline
                                        NeoDude
                                        last edited by

                                        I'm another parent having this issue. I've set rules up to stop Internet access at 8pm, yet I can still hear my son playing and talking on Skype upstairs until I do a states reset.

                                        Home Server "Gandalf":  unRAID Pro 6 | MB**:**  ASUS Z9PE-D8 WS | CPU:  Dual Xeon E5-2670 | RAM:  64GB Crucial PC-1600 ECC

                                        1 Reply Last reply Reply Quote 0
                                        • KOMK Offline
                                          KOM
                                          last edited by

                                          I just tried it in 2.4 and it seems to work.  I created a schedule for when Internet was allowed.  Next, a pass rule for one host tied to the schedule, immediately followed by a block rule for that host with no schedule.  Works until the time expires and then everything dies.

                                          1 Reply Last reply Reply Quote 0
                                          • NeoDudeN Offline
                                            NeoDude
                                            last edited by

                                            mmm, I'm on 2.3.2, wonder if it's worth an upgrade.

                                            Home Server "Gandalf":  unRAID Pro 6 | MB**:**  ASUS Z9PE-D8 WS | CPU:  Dual Xeon E5-2670 | RAM:  64GB Crucial PC-1600 ECC

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.