Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Scheduled blocks won't work without manual states reset

    Scheduled Pinned Locked Moved Firewalling
    71 Posts 25 Posters 22.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thecableguy
      last edited by

      Yeah, I can get this working on a test laptop reliably with a cron task to kill off states after the schedule expires but it doesn't work on the existing rules.

      I will delete all the rules and start fresh.

      1 Reply Last reply Reply Quote 0
      • T
        thecableguy
        last edited by

        Did you have any limiters on your rules for the Ipod?

        1 Reply Last reply Reply Quote 0
        • -
          -RYknow
          last edited by

          I don't have any limiters on the iPod. Initially I was using a schedule I had created. At this point for testing I've gotten rid of the schedule completely, and I'm just using the block rule. When I disable it for any length of time, and re-enable it, the imessage stuff still works.

          I'm going to test it some more over the weekend, I moved the ipod block to be the very first rule in the list. See if that makes much of a difference.

          -RYknow

          1 Reply Last reply Reply Quote 0
          • T
            thecableguy
            last edited by

            I am really confused now, I deleted all pass/block rules and now the schedule works on one host but not the other?

            I even copied the rule and just changed the alias to suit the new rules…

            I'm going to default my router one more time and if that doesn't fix it, I'm going to try another product.

            1 Reply Last reply Reply Quote 0
            • T
              twinbytes
              last edited by

              I've tried several variations I found online for using a Cron job to kill the states after a rule becomes active and none of them work.  The only way to ensure Skype and active game sessions get killed after the scheduled block rules kick in is to manually reset the states in the Diagnostics menu.  It's a brand new install.

              If someone can suggest the exact spelling with the full path of the Cron job other than what I already tried or maybe a different way other than Cron jobs if there is a way?  I've tried the following Cron commands:

              /sbin/pfctl -F state
              /sbin/pfctl -k >IP on the block list<

              1 Reply Last reply Reply Quote 0
              • T
                thecableguy
                last edited by

                I can confirm:

                /sbin/pfctl -F state works sometimes (cron task)
                pfctl -F state works sometimes (cron task)

                /sbin/pfctl -k >IP on the block list<works sometimes="" (cron="" task)<br="">pfctl -k >IP on the block list <works sometimes="" (cron="" task)<br="">Both also seem to work in the Diagnostics/Command Prompt however, nothing reliably clears established UDP states.

                After the PASS schedule expires, all states are cleared and then a few (Steam and Teamspeak in my case) immediately re-establish.</works></works>

                1 Reply Last reply Reply Quote 0
                • T
                  twinbytes
                  last edited by

                  Thanks to alot of my own trial and error I have figured out why it doesn't work for me and how I can make it work.

                  If I have the schedule block at 10pm at night and schedule the cron job to clear a specific IP states at 10:01pm it doesn't work.

                  If I change the cron job to run at 1 minute past the hour for every hour, it works!

                  To confirm the obvious, yes my computer time and pfsense times are correct and i've run the test several times.  I've run now at 4pm scheduled block with cron to block at 1 minute past every hour and it worked immediately. I had it try before at 3pm scheduled block with 3:01pm run same cron job.  It doesn't work.

                  So for some reason, cron doesn't recognize the specific hour!  It's in 24 hour clock military time.  I haven't checked if I can do 12 hour clock time if it's possible.  But I obviously have the Cron job programmed correctly and everything else correct as the only difference that makes it work is specify to run the job every hour at 1 minute past the hour, rather than at the specific time.  This is not a good solution as it can cause interrupts every hour.

                  I expect to be the first person to find the solution to this as no one has an answer anywhere I could find.  Please prove me wrong and beat me to it.

                  1 Reply Last reply Reply Quote 0
                  • T
                    twinbytes
                    last edited by

                    I managed to get cron to work without saying * for the hour.  I found out that although the schedule runs at 1800 hours (6pm) I have to schedule Cron to run at 2201 hours for it to think it is 1 minute past the hour.  It then successfully runs the cron job 1 minute after the scheduled job and clears the state table.  So for Cron to run the job 1 minute after the scheduled rule, I have to actually program Cron to run 4 hours and 1 minute after the scheduled rule.

                    My question now is why does Cron think it is 2200 hours when it is 1800 hours?  In other words, why does Cron think the time is 4 hours ahead of what the schedule does?

                    1 Reply Last reply Reply Quote 0
                    • T
                      thecableguy
                      last edited by

                      @twinbytes:

                      I managed to get cron to work without saying * for the hour.  I found out that although the schedule runs at 1800 hours (6pm) I have to schedule Cron to run at 2201 hours for it to think it is 1 minute past the hour.  It then successfully runs the cron job 1 minute after the scheduled job and clears the state table.  So for Cron to run the job 1 minute after the scheduled rule, I have to actually program Cron to run 4 hours and 1 minute after the scheduled rule.

                      My question now is why does Cron think it is 2200 hours when it is 1800 hours?  In other words, why does Cron think the time is 4 hours ahead of what the schedule does?

                      Have you set the timezone correctly? - System/General Setup.

                      1 Reply Last reply Reply Quote 0
                      • T
                        twinbytes
                        last edited by

                        @thecableguy:

                        @twinbytes:

                        I managed to get cron to work without saying * for the hour.  I found out that although the schedule runs at 1800 hours (6pm) I have to schedule Cron to run at 2201 hours for it to think it is 1 minute past the hour.  It then successfully runs the cron job 1 minute after the scheduled job and clears the state table.  So for Cron to run the job 1 minute after the scheduled rule, I have to actually program Cron to run 4 hours and 1 minute after the scheduled rule.

                        My question now is why does Cron think it is 2200 hours when it is 1800 hours?  In other words, why does Cron think the time is 4 hours ahead of what the schedule does?

                        Have you set the timezone correctly? - System/General Setup.

                        Yes, the time zone is correct in General setup.

                        1 Reply Last reply Reply Quote 0
                        • T
                          twinbytes
                          last edited by

                          I saw another discussion someone wrote to use the following code but it doesn't work for me.

                          pfctl -k x.x.x.x/24 ; pfctl -k 0.0.0.0/0 -k x.x.x.x/24

                          I assume if my pfsense box is 192.168.1.1 that the x.x.x.x should be that IP address?  Or is there something else I should be doing?  That threat is closed to comments or I'd ask there.

                          1 Reply Last reply Reply Quote 0
                          • T
                            twinbytes
                            last edited by

                            Since killing the state table by IP, even manually pressing the button, is unreliable and the only method is resetting the entire firewall state table manually, I've set a scheduled reboot using Cron which works perfectly.  I know it's not the idea solution rebooting the server every night, but I need results and this is the only reliable method.
                            /sbin/shutdown -r now

                            I hope pfsense will have a patch to fix clearing the state tables by ip address.

                            1 Reply Last reply Reply Quote 0
                            • T
                              thecableguy
                              last edited by

                              @twinbytes:

                              Since killing the state table by IP, even manually pressing the button, is unreliable and the only method is resetting the entire firewall state table manually, I've set a scheduled reboot using Cron which works perfectly.  I know it's not the idea solution rebooting the server every night, but I need results and this is the only reliable method.
                              /sbin/shutdown -r now

                              I hope pfsense will have a patch to fix clearing the state tables by ip address.

                              I can't believe we are the only people who want this 'feature', I would expect pfsense to be capable of what the $100 routers seem to do quite well.

                              1 Reply Last reply Reply Quote 0
                              • N
                                n3by
                                last edited by

                                You are not alone and this is a very old problem on pfsense… only this thread is 3 years old.
                                In time what you can't fix you learn to live with that or if you can't, then you will try to find a solution that work to your needs.

                                This is how it finally work for my kids, see the attachment:

                                • allow DHCP only to this VLAN/firewall.
                                • allow DNS & NTP only to this firewall.
                                • deny access to this firewall for all client except admin IP...

                                legend:
                                inet lucia = Mon-Sun 12:00-12:30 / Mon-Fri 19:00-20:30 / Mon-Sun 14:30-17:00 ( school )
                                vacanta = every day 06-23 ( no school )
                                zilnic = every day 06-22:15

                                p.s.
                                extra cron script to kill states,
                                don't forget to make the script x
                                ...
                                15-30 22 * * * root /usr/local/bin/pf_stop_tablete_copii.sh

                                #!/bin/sh
                                
                                /sbin/pfctl -K 192.168.101.111
                                /sbin/pfctl -K 192.168.101.112
                                

                                schedule.jpg
                                schedule.jpg_thumb

                                1 Reply Last reply Reply Quote 0
                                • T
                                  twinbytes
                                  last edited by

                                  @ecfx:

                                  You are not alone and this is a very old problem on pfsense… only this thread is 3 years old.
                                  In time what you can't fix you learn to live with that or if you can't, then you will try to find a solution that work to your needs.

                                  This is how it finally work for my kids, see the attachment:

                                  • allow DHCP only to this VLAN/firewall.
                                  • allow DNS & NTP only to this firewall.
                                  • deny access to this firewall for all client except admin IP...

                                  legend:
                                  inet lucia = Mon-Sun 12:00-12:30 / Mon-Fri 19:00-20:30 / Mon-Sun 14:30-17:00 ( school )
                                  vacanta = every day 06-23 ( no school )
                                  zilnic = every day 06-22:15

                                  p.s.
                                  extra cron script to kill states,
                                  don't forget to make the script x
                                  ...
                                  15-30 22 * * * root /usr/local/bin/pf_stop_tablete_copii.sh

                                  #!/bin/sh
                                  
                                  /sbin/pfctl -K 192.168.101.111
                                  /sbin/pfctl -K 192.168.101.112
                                  

                                  Thanks, I'm not sure this all makes sense to me but it looks like an uppercase K where I was using a lowercase k? 
                                  Also, to specify allowe DHCP, DNS, NTP only to this firewall, i'm not sure where to set those rules?

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    n3by
                                    last edited by

                                    see the attachment.

                                    I have also a DNS server in another lan 192.168.22.16 for kids that filter dns with pihole and forward requests to opendns ( family shield… adult content... ) so I had to allow also open DNS directly just in case my server is offline.
                                    Local DNS/NTP is your LAN interface IP and 127.0.0.1

                                    Untitled.jpg
                                    Untitled.jpg_thumb

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      twinbytes
                                      last edited by

                                      Odd thing, my router didn't reboot tonight at 10:05pm as scheduled (which I put 2:05am because it was working 4 hours in ahead previously).  I tried setting the correct time and now it works.  It seems to have fixed itself.  Very weird but thought I'd share that problem is solved.
                                      Just need to test more with rules to avoid rebooting.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        thecableguy
                                        last edited by

                                        Have you tried Opnsense? It has the latest BSD.

                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          twinbytes
                                          last edited by

                                          @thecableguy:

                                          Have you tried Opnsense? It has the latest BSD.

                                          I haven't tried Opnsense, but honestly I just setup pfsense and want to give it a fair shot.  I switched from ipfire which was having more problems.  pfsense seems much better than ipFire so far, although it has the same challenges with removing states after scheduled blocks without rebooting.  The good news is with pfsense I can at least schedule a reboot where ipfire I couldn't do that.

                                          With more time I'll learn more tricks I can share. :)

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            thecableguy
                                            last edited by

                                            @twinbytes:

                                            @thecableguy:

                                            Have you tried Opnsense? It has the latest BSD.

                                            With more time I'll learn more tricks I can share. :)

                                            Looking forward to it as I am almost out of hair!  ;)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.